Last updated: 8 June 2026
This Privacy Policy explains how Glór Participation Software Limited (“Glór”, “we”, “us”, or “our”) collects, uses, and protects information when you use our platform at glor.online. We are committed to protecting the privacy of both presenters (registered users) and participants (audience members who join events).
Glór Participation Software Limited is a company registered in Ireland. For individual presenters, we are the data controller for the personal data processed through our platform. When Glór is used by an institution (such as a school, university, or organisation), the institution is typically the data controller and Glór acts as a data processor, providing the service on the institution’s instruction. See Educational and Institutional Use for details.
When you create a presenter account, we collect:
Participants join events without creating an account. We collect:
We do not collect participant email addresses, and no account is required to participate. This data-minimised design means participants — including minors in educational settings — can engage without providing personal information. Where a host enables open-text features (such as Q&A or open-ended polls), participants choose what to type; hosts are responsible for configuring events appropriately for their audience.
We use two privacy-focused, cookieless analytics services to understand how the platform is used:
Neither service can identify individual users or track them across websites.
To protect the platform and its users, we may temporarily process IP addresses and user agent strings for abuse detection and rate limiting. This data is used solely for security purposes and is not linked to user accounts or participant profiles.
We use the data we collect to:
We do not sell your personal information. We do not use your data for profiling or automated decision-making.
To measure the effectiveness of our advertising campaigns, we use two approaches:
Participants are never tracked. People who join events via QR code or join link never see a consent banner, and no advertising pixels (Meta Pixel, Reddit Pixel) are ever loaded for them — even if they navigate to other pages on our site during the same session. Our cookieless analytics (Vercel Analytics and Umami) and Google Tag may load in a privacy-restricted mode, but they set no advertising cookies and collect no personal data. Participant data is never shared with advertising platforms.
Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:
For visitors in the EEA and UK, we rely on consent (Article 6(1)(a)) before setting any marketing or analytics cookies via Google Tag or Meta Pixel. These tags operate in a restricted mode until consent is given.
Glór uses essential cookies that are strictly necessary for the platform to function, plus optional marketing cookies that are only set with your consent (EEA/UK) or by default (rest of world).
| Cookie | Purpose | Duration |
|---|---|---|
| sb-* | Supabase authentication (session management) | Session / 7 days |
| user_locale | Language preference | 30 days |
| user_locale_source | How the language preference was set | 30 days |
| event_locale | Participant route locale | Session |
| locale | Legacy locale preference | 30 days |
| glor_consent | Stores your cookie preference (essential/marketing) | 1 year |
| glor_region | Region detection for consent banner display (EEA or other) | 30 days |
When marketing consent is active, the following third-party cookies may be set:
| Cookie | Provider | Purpose | Policy |
|---|---|---|---|
| _ga, _gid, _gcl_* | Analytics and advertising measurement | Google Privacy Policy | |
| _fbp, _fbc | Meta | Advertising measurement | Meta Privacy Policy |
| _rdt_uuid | Advertising measurement | Reddit Privacy Policy |
For EEA and UK visitors, these cookies are only set after you click “Accept all” in the consent banner. You can withdraw consent at any time via the “Cookie preferences” link in the page footer. For visitors outside the EEA, marketing measurement operates by default in accordance with local regulations.
Our cookieless analytics services (Vercel Analytics and Umami) do not set any cookies on your device.
Presenters may embed external slide decks from third-party providers (such as Google Slides, Microsoft PowerPoint Online, or Canva) to display alongside polls and Q&A during events. This content is loaded directly from the provider’s servers via an iframe — Glór does not store, copy, or proxy slide content.
When embedded content is loaded, the third-party provider may set its own cookies or collect data according to its own privacy policy. Glór has no control over these providers’ data practices. We encourage presenters to review the privacy policies of any service they choose to embed:
We use third-party services to operate the platform. Each acts as a data processor on our behalf. To make data residency clear, we group them below by where your data is processed.
Core platform data is stored in the EU. The following is stored within the European Economic Area (EEA) during normal operation:
We use Ably, a global real-time network, only to keep the live state of a presentation in sync across devices — for example, signalling which poll is currently open or that results are now visible — see section 6.2. It does not carry names, email addresses, votes, or Q&A content; these are sent to and stored in the EEA.
| Service | Purpose | Processing location |
|---|---|---|
| Supabase | Database, authentication, file storage, and real-time connections — all core platform data | EU (Stockholm, Sweden) |
| Vercel | Application hosting, serverless functions, and anonymous analytics | EU (Ireland, France, Germany, Sweden) |
| Umami Cloud | Anonymous usage analytics | EU |
The data below is processed outside the EEA. Participant votes, Q&A submissions, and account content are never included in these transfers — they remain stored in the EEA. Transfers to the United States are protected by EU Standard Contractual Clauses (SCCs).
| Service | Purpose | Data transferred | Location |
|---|---|---|---|
| Ably | Keeps the live state of a presentation in sync across devices (e.g. which poll is open, whether results are shown) | Presentation state signals only, plus a pseudonymous session identifier and standard connection metadata (e.g. IP address) needed to maintain the connection. No names, email addresses, votes, or Q&A content. | Global edge network (EU SCCs) |
| Stripe | Payment processing and subscription management | Billing and subscription data (presenters only) | US (EU SCCs) |
| Google Ads | Server-side conversion measurement and client-side Google Tag with Consent Mode v2 (cookies only with consent in EEA/UK) | Hashed email on sign-up or subscribe; page views with consent | US (EU SCCs) |
| Meta Platforms | Server-side Conversions API and client-side Meta Pixel (loaded only with consent in EEA/UK) | Hashed email on sign-up or subscribe; page views with consent | US (EU SCCs) |
| Server-side Conversions API and client-side Reddit Pixel (loaded only with consent in EEA/UK) | Hashed email on sign-up or subscribe; page views with consent | US (EU SCCs) |
Ably is used purely to synchronise presentation state (such as which poll is open or whether results are shown) — it is not used to store or transfer personal data about you. Because Ably operates a global real-time edge network and routes each connection to its nearest data centre, the limited connection data described above (a pseudonymous identifier and standard connection metadata) may be processed outside the EEA depending on a participant’s location. This is governed by Ably’s data processing terms and EU SCCs.
We do not share your data with any other third parties for their own purposes. Advertising platforms receive only cryptographically hashed identifiers for conversion counting — never plain-text email addresses, browsing data, or participant information.
All core platform data — presenter accounts, events, polls, participant responses, and uploaded content — is stored in Stockholm, Sweden (Supabase) and processed by our application servers in EU regions (Vercel: Ireland, France, Germany, and Sweden). Anonymous analytics are also processed in the EU.
Data is processed outside the EEA only for the limited purposes described in section 6.2: keeping presentation state in sync (Ably), presenter billing (Stripe), and optional advertising measurement (Google, Meta, and Reddit). Ably is used only to synchronise the live state of a presentation across devices; it does not carry names, email addresses, votes, or Q&A content, which remain stored in the EEA. Because Ably routes connections through a global edge network, the limited connection data it handles may be processed outside the EEA. Transfers to the United States and other non-EEA locations are protected by EU Standard Contractual Clauses (SCCs) as approved by the European Commission.
We retain your data only for as long as necessary for the purposes described in this policy:
Residual copies of deleted data may persist temporarily in automated backups, which expire on their normal rotation schedule. We may maintain an internal retention schedule with more granular detail. This summary reflects our commitments to you.
We take reasonable technical and organisational measures designed to protect your data, including:
While we aim to protect your personal data to a high standard, no method of electronic transmission or storage is completely without risk. We cannot guarantee absolute security, but we are committed to maintaining and improving our protections.
Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:
To exercise any of these rights, contact us at hello@glor.online. We will respond within 30 days as required by the GDPR.
You also have the right to lodge a complaint with your local data protection authority. In Ireland, this is the Data Protection Commission.
Presenters can permanently delete their account at any time from Settings. This action is irreversible and will delete all user data as described in the Data Retention section above, including all events, polls, participant responses, and Q&A content. An anonymised subscription snapshot is archived for financial and legal obligations — payment provider identifiers are cryptographically hashed and no personally identifiable information is retained in the archive.
Glór is designed to work well in educational environments such as schools, universities, and training programmes. When an institution uses Glór:
Institutions that require a formal data processing agreement should contact us at hello@glor.online.
Glór is not marketed to or directed at children as a consumer product. We do not knowingly collect personal information from children under 16 outside of an institutional context.
In educational settings, minors may participate in events under the supervision and responsibility of their institution. Because participation does not require an account, email, or personal information, the data collected from participants is minimal and anonymous or pseudonymous by design. The institution is responsible for obtaining any parental or guardian consent required by applicable law.
If you believe a child has provided us with personal data outside of an institutional context, please contact us and we will take steps to delete that information.
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when it was last revised. For material changes, we will notify registered users by email at least 14 days before the changes take effect. Until our email notification system is operational, we will update the date prominently on this page. Continued use of the service after the notice period constitutes acceptance of the updated policy.
For any questions about this Privacy Policy or how we handle your data, please contact us: