Privacy Policy

Last updated: 9 March 2026

This Privacy Policy explains how Glór Participation Software Limited (“Glór”, “we”, “us”, or “our”) collects, uses, and protects information when you use our platform at glor.online. We are committed to protecting the privacy of both presenters (registered users) and participants (audience members who join events).

1. Who We Are

Glór Participation Software Limited is a company registered in Ireland. For individual presenters, we are the data controller for the personal data processed through our platform. When Glór is used by an institution (such as a school, university, or organisation), the institution is typically the data controller and Glór acts as a data processor, providing the service on the institution’s instruction. See Educational and Institutional Use for details.

  • Entity: Glór Participation Software Limited
  • Country: Ireland
  • Contact: hello@glor.online

2. Data We Collect

2.1 Presenter Accounts

When you create a presenter account, we collect:

  • Email address and name — via our authentication provider (Supabase Auth)
  • Subscription and billing data — processed by Stripe (we do not store credit card numbers)
  • Preferences — language selection, display settings
  • Content you create — events, polls, questions, and any uploaded media (e.g. logos)

2.2 Participants

Participants join events without creating an account. We collect:

  • Session token — a randomly generated identifier for the browser session
  • Optional nickname — only if the participant chooses to provide one
  • Anonymous flag — whether the participant opted to remain anonymous
  • Join timestamp — when the participant joined the event
  • Poll responses, Q&A questions, and upvotes — associated with the session token, not a named person

We do not collect participant email addresses, and no account is required to participate. This data-minimised design means participants — including minors in educational settings — can engage without providing personal information. Where a host enables open-text features (such as Q&A or open-ended polls), participants choose what to type; hosts are responsible for configuring events appropriately for their audience.

2.3 Automated Data

We use two privacy-focused, cookieless analytics services to understand how the platform is used:

  • Vercel Analytics — collects anonymous page view and performance metrics. No cookies, no PII, no cross-site tracking.
  • Umami — collects anonymous usage statistics. No cookies, no PII, no cross-site tracking.

Neither service can identify individual users or track them across websites.

2.4 Security and Abuse Prevention

To protect the platform and its users, we may temporarily process IP addresses and user agent strings for abuse detection and rate limiting. This data is used solely for security purposes and is not linked to user accounts or participant profiles.

3. How We Use Your Data

We use the data we collect to:

  • Provide and operate the Glór platform (events, polls, Q&A, real-time interactions)
  • Process subscriptions and billing
  • Send service-related communications (e.g. account confirmation, subscription receipts)
  • Prevent abuse, fraud, and security incidents
  • Understand usage patterns to improve the platform (via anonymous analytics only)
  • Comply with legal obligations

We do not sell your personal information. We do not use your data for profiling or automated decision-making.

3.1 Advertising Conversion Measurement

To measure the effectiveness of our advertising campaigns, we use two approaches:

  • Server-side conversion API: When you sign up or subscribe, we may share a cryptographically hashed (anonymised, irreversible) version of your email address with advertising platforms (Google, Meta, and Reddit). The hashing transforms your email into a random string of characters that cannot be reversed to reveal your actual address. These platforms never receive your plain-text email from Glór.
  • Client-side tags (with consent): We use Google Tag (with Google Consent Mode v2), Meta Pixel, and Reddit Pixel to measure page views and advertising effectiveness. For visitors in the European Economic Area (EEA) and the UK, these tools operate in a privacy-restricted mode by default and only set advertising or analytics cookies after you explicitly accept marketing cookies. For visitors outside the EEA, these tags operate with full measurement by default.

Participants are never tracked. People who join events via QR code or join link never see a consent banner and never have any advertising scripts loaded — even if they navigate to other pages on our site during the same session. Participant data is never shared with advertising platforms.

4. Legal Bases for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:

  • Contract (Article 6(1)(b)): Processing necessary to provide the service to registered presenters — account management, event delivery, and subscription billing.
  • Legitimate interest (Article 6(1)(f)): Anonymous analytics to improve the platform, server-side conversion measurement using hashed email to evaluate advertising effectiveness, and security measures to prevent abuse. We balance these interests against your rights and freedoms.
  • Legal obligation (Article 6(1)(c)): Retaining financial records as required by Irish tax law.

For visitors in the EEA and UK, we rely on consent (Article 6(1)(a)) before setting any marketing or analytics cookies via Google Tag or Meta Pixel. These tags operate in a restricted mode until consent is given.

5. Cookies and Similar Technologies

Glór uses essential cookies that are strictly necessary for the platform to function, plus optional marketing cookies that are only set with your consent (EEA/UK) or by default (rest of world).

5.1 Essential Cookies

CookiePurposeDuration
sb-*Supabase authentication (session management)Session / 7 days
user_localeLanguage preference30 days
user_locale_sourceHow the language preference was set30 days
event_localeParticipant route localeSession
localeLegacy locale preference30 days
glor_consentStores your cookie preference (essential/marketing)1 year
glor_regionRegion detection for consent banner display (EEA or other)30 days

5.2 Marketing Cookies (consent required in EEA/UK)

When marketing consent is active, the following third-party cookies may be set:

CookieProviderPurposePolicy
_ga, _gid, _gcl_*GoogleAnalytics and advertising measurementGoogle Privacy Policy
_fbp, _fbcMetaAdvertising measurementMeta Privacy Policy
_rdt_uuidRedditAdvertising measurementReddit Privacy Policy

For EEA and UK visitors, these cookies are only set after you click “Accept all” in the consent banner. You can withdraw consent at any time via the “Cookie preferences” link in the page footer. For visitors outside the EEA, marketing measurement operates by default in accordance with local regulations.

Our cookieless analytics services (Vercel Analytics and Umami) do not set any cookies on your device.

5.3 Third-Party Embedded Content

Presenters may embed external slide decks from third-party providers (such as Google Slides, Microsoft PowerPoint Online, or Canva) to display alongside polls and Q&A during events. This content is loaded directly from the provider’s servers via an iframe — Glór does not store, copy, or proxy slide content.

When embedded content is loaded, the third-party provider may set its own cookies or collect data according to its own privacy policy. Glór has no control over these providers’ data practices. We encourage presenters to review the privacy policies of any service they choose to embed:

6. Data Processors

We use the following third-party services to operate the platform. Each acts as a data processor on our behalf:

ServicePurposeLocation
SupabaseDatabase, authentication, file storage, real-time connectionsEU
StripePayment processing and subscription managementUS (EU SCCs)
AblyReal-time messaging (WebSocket connections for live event updates)UK (EU–UK Adequacy Decision)
VercelHosting and anonymous analyticsUS (EU SCCs)
Umami CloudAnonymous usage analyticsEU
Google AdsServer-side conversion measurement (hashed email) and client-side Google Tag with Consent Mode v2 (page views, advertising measurement — cookies only with consent in EEA/UK)US (EU SCCs)
Meta PlatformsServer-side Conversions API (hashed email) and client-side Meta Pixel (page views, advertising measurement — loaded only with consent in EEA/UK)US (EU SCCs)
RedditServer-side Conversions API (hashed email) and client-side Reddit Pixel (page views, advertising measurement — loaded only with consent in EEA/UK)US (EU SCCs)

We do not share your data with any other third parties for their own purposes. Advertising platforms receive only cryptographically hashed identifiers for conversion counting — never plain-text email addresses, browsing data, or participant information.

7. International Transfers

Some of our data processors are based outside the European Economic Area (EEA). Vercel, Stripe, Google, Meta, and Reddit are based in the United States; transfers to them are protected by EU Standard Contractual Clauses (SCCs) as approved by the European Commission. Ably is based in the United Kingdom; transfers are covered by the EU–UK Adequacy Decision.

8. Data Retention

We retain your data only for as long as necessary for the purposes described in this policy:

  • Presenter account data — retained while the account is active. Removed from our active systems on account deletion, which cascades to all associated events, polls, responses, and Q&A content.
  • Participant session data — retained for the lifetime of the associated event. Removed from active systems when the event or presenter account is deleted.
  • Subscription and billing records — archived (not deleted) on account deletion for financial and legal obligations. Archived records are anonymised: payment provider identifiers are cryptographically hashed and no personally identifiable information is retained. These records are kept for up to 7 years in accordance with Irish revenue requirements.
  • Analytics data — aggregated and anonymous. Contains no personal information to retain or delete.
  • Audit logs — retained for 90 days, then automatically purged. If an account is deleted before that period, audit log entries are de-identified (the user reference is removed).

Residual copies of deleted data may persist temporarily in automated backups, which expire on their normal rotation schedule. We may maintain an internal retention schedule with more granular detail. This summary reflects our commitments to you.

9. Security Measures

We take reasonable technical and organisational measures designed to protect your data, including:

  • Encryption of data in transit (TLS) and at rest
  • Row-level security (RLS) policies in our database to enforce access controls
  • Role-based access restrictions for administrative functions
  • Regular review of security practices and processor agreements

While we aim to protect your personal data to a high standard, no method of electronic transmission or storage is completely without risk. We cannot guarantee absolute security, but we are committed to maintaining and improving our protections.

10. Your Rights

Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your data (see Account Deletion below)
  • Restriction — request that we limit how we process your data
  • Portability — request your data in a structured, commonly used format
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, contact us at hello@glor.online. We will respond within 30 days as required by the GDPR.

You also have the right to lodge a complaint with your local data protection authority. In Ireland, this is the Data Protection Commission.

11. Account Deletion

Presenters can permanently delete their account at any time from Settings. This action is irreversible and will delete all user data as described in the Data Retention section above, including all events, polls, participant responses, and Q&A content. An anonymised subscription snapshot is archived for financial and legal obligations — payment provider identifiers are cryptographically hashed and no personally identifiable information is retained in the archive.

12. Educational and Institutional Use

Glór is designed to work well in educational environments such as schools, universities, and training programmes. When an institution uses Glór:

  • Data controller and processor roles: The institution is typically the data controller (it decides why and how the data is processed), and Glór acts as a data processor, providing the platform on the institution’s instruction.
  • No student accounts: Participants do not need to create accounts, provide email addresses, or otherwise identify themselves. Participation is anonymous or pseudonymous by default.
  • Session data: Participant session tokens are randomly generated and are not linked to any personal identity. They exist for the duration of the event session.
  • Open-text responses: Where the host enables open-text features (Q&A, open-ended polls), participants choose what to submit. Hosts should configure events appropriately for their audience and are responsible for moderating content.
  • Retention and deletion: Participant data is retained in our active systems only for the lifetime of the associated event and is removed when the host deletes the event or their account. Hosts control when this happens. Residual copies may persist temporarily in automated backups, which expire on their normal rotation schedule.
  • Analytics: Our analytics services (Vercel Analytics and Umami) are cookieless, anonymous, and cannot identify individual participants.

Institutions that require a formal data processing agreement should contact us at hello@glor.online.

13. Children

Glór is not marketed to or directed at children as a consumer product. We do not knowingly collect personal information from children under 16 outside of an institutional context.

In educational settings, minors may participate in events under the supervision and responsibility of their institution. Because participation does not require an account, email, or personal information, the data collected from participants is minimal and anonymous or pseudonymous by design. The institution is responsible for obtaining any parental or guardian consent required by applicable law.

If you believe a child has provided us with personal data outside of an institutional context, please contact us and we will take steps to delete that information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when it was last revised. For material changes, we will notify registered users by email at least 14 days before the changes take effect. Until our email notification system is operational, we will update the date prominently on this page. Continued use of the service after the notice period constitutes acceptance of the updated policy.

15. Contact

For any questions about this Privacy Policy or how we handle your data, please contact us: