PRIVACY POLICY

Glitch Labs operates the Glitch digital audio workstation, an AI-native desktop app for macOS and the supporting cloud services that power its account, billing, and AI features. Glitch Labs is based in California, United States, and the Services are operated from the United States.

For any questions about this policy or to exercise the rights described below, contact us at admin@glitchlabs.io.

The Services are not directed to children. You must be at least 16 years old to create an account or use the Services. If we learn we have collected personal information from a user under 16, we will delete that information. If you believe a child under 16 has used the Services, please contact us at admin@glitchlabs.io.

Account information

When you create an account, we collect your email address and, if you sign up with a password, an encrypted form of that password. If you sign in with Google OAuth, we receive your name, email address, a unique Google user identifier, and your profile picture URL from Google. We do not receive your Google password.

You may add an optional display name and avatar URL to your profile.

Subscription and billing information

If you subscribe to a paid plan, our payment processor (Stripe, Inc.) collects and stores your payment instrument details directly — we do not see or store your full card number. We store the Stripe customer identifier associated with your account, your current subscription plan, status, billing period, trial dates, and cancellation status.

AI usage telemetry

When you use the Glitch AI agent or other generative AI features, we log metadata about each request: the model used, token counts, response timing, whether the request included project state or attachments (but not their contents), tool-call counts, error information, and credits charged. We use this telemetry for usage metering, rate limiting, billing, abuse prevention, and improving the reliability of the service.

We do not currently store the content of your AI prompts or AI responses on our servers. Prompts and completions are passed through our gateway to the relevant AI provider and the responses are returned to your app without being persisted in our database. See “Service providers” below for how those providers handle that data.

We reserve the right to change this practice in the future — for example, to add features like persistent conversation history or to improve our products. If we begin storing prompt or response content, we will update this policy and, where required by law, notify you and obtain any consent needed before doing so.

Device, log, and network information

When you sign in, download the desktop app, or send a request to our gateway, we automatically collect:

• A one-way SHA-256 hash of your IP address (we do not retain the raw IP in our application database, though our auth provider retains session IPs for security purposes as described below);
• Your user-agent string and operating-system platform;
• An approximate country derived from your IP address;
• The referer URL and UTM marketing parameters, if present;
• The Glitch app version, request and response timestamps, and error information when something fails.

Authentication session data

Our authentication provider (Supabase) records your sign-in history, including the IP address and user-agent of each session, the OAuth identities linked to your account, and short-lived flow state used to complete OAuth and desktop sign-in handshakes. We use this data to keep your account secure and to detect abuse.

Cookies and analytics

We use first-party cookies that are strictly necessary to keep you signed in, to complete OAuth and desktop sign-in flows, and to remember basic preferences. We do not use third-party advertising cookies.

We use Vercel Web Analytics on our website to measure aggregate traffic patterns. Vercel Web Analytics is privacy-friendly and does not use cookies for tracking or build cross-site profiles of visitors.

Information you choose to provide

If you email our support address or otherwise contact us, we will receive your email address, the contents of your message, and any attachments you send. We use this information only to respond to you and to keep a record of the interaction.

We use the information described above to:

• Create, secure, and operate your account;
• Provide the Glitch desktop app and AI features, including routing your AI requests to the appropriate model provider;
• Process subscriptions, payments, refunds, and credit accounting through Stripe;
• Enforce rate limits, prevent abuse, and detect fraud or security incidents;
• Communicate with you about your account, billing, service changes, and support requests;
• Understand how the Services are used in aggregate so we can improve them;
• Comply with our legal and tax obligations.

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR to process your information:

• Contract — to provide the Services you have signed up for, including running your AI requests and managing your subscription.
• Legitimate interests — to keep the Services secure, prevent abuse, measure aggregate usage, and improve product reliability.
• Legal obligation — to comply with tax, accounting, and other applicable laws.
• Consent — where we ask for it, such as for optional marketing emails or any future feature that would store the content of your AI prompts or responses.

We do not sell or rent your personal information. We share it only with the service providers that operate the Services on our behalf, under contracts that restrict their use of your data to providing those services. The current providers are:

• Supabase, Inc. — managed Postgres database, authentication, storage, and edge functions. Stores your account, profile, billing, and telemetry records.
• Vercel, Inc. — hosts the website and serverless infrastructure, and provides aggregate Web Analytics.
• Stripe, Inc. — processes payments, holds your payment instrument details, and stores billing history. Stripe’s privacy practices are described at stripe.com/privacy.
• Google LLC — when you sign in with Google, Google authenticates you and shares the profile information described above with us.
• Anthropic, PBC — processes your AI prompts and returns completions when you use a Claude model. By default, Anthropic does not use API traffic to train its models. See anthropic.com/legal/privacy.
• Features and Labels, Inc. (fal.ai) — runs the audio and other generative AI models you invoke through Glitch. Your prompts, reference audio, and other inputs are sent to fal.ai for inference. See fal.ai/privacy.

We may engage additional service providers in the future and will update this list when we do.

We may also disclose information when required by law, valid legal process (such as a subpoena or court order), to protect the rights, property, or safety of Glitch Labs, our users, or others, or in connection with a merger, acquisition, or sale of assets (in which case we will require the recipient to honor this policy or notify you of any material change).

As stated above, we do not currently store the content of your AI prompts or AI responses on our servers, and we do not currently use your content to train any AI model — ours or a third party’s.

We reserve the right to use anonymized or aggregated information derived from your use of the Services — such as model performance metrics, error rates, and feature engagement — to improve the Services, including to train, fine-tune, or evaluate AI models. We will not include personally identifying information in any such dataset.

If in the future we decide to use the actual content of your prompts, AI responses, generated audio, or uploaded reference material to train or fine-tune AI models, we will update this policy in advance and, where required by applicable law, give you a clear opportunity to opt out (or opt in, where opt-in consent is required) before doing so.

We operate the Services from the United States, and our service providers may process your information in the United States and other countries. If you access the Services from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States and other jurisdictions whose data protection laws may differ from those of your country.

Where required by law, we rely on appropriate transfer mechanisms — such as the European Commission’s Standard Contractual Clauses — to protect your information when it is transferred outside the EEA or UK.

We keep your account and profile information for as long as your account is active. AI usage telemetry, credit-ledger entries, and authentication session data are retained for as long as reasonably necessary for billing, security, and abuse prevention.

When you delete your account, we delete or anonymize personal information associated with your account from our active systems. Some records may persist for a limited period in encrypted backups before being overwritten, and we may retain information we are legally required to keep (for example, tax and billing records held by Stripe).

Depending on where you live, you may have the following rights with respect to your personal information:

• Access — ask for a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate information.
• Deletion — ask us to delete your account and the personal information associated with it. You can do this yourself from the dashboard, or by emailing us.
• Portability — ask for a machine-readable copy of certain information you provided to us.
• Objection or restriction — object to, or ask us to restrict, certain processing of your information.
• Withdraw consent — where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email admin@glitchlabs.io. We will respond within the timeframes required by applicable law. We will not discriminate against you for exercising a privacy right.

You may also have the right to lodge a complaint with the data protection authority in your country.

This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”).

In the prior twelve months, we have collected the following categories of personal information about California residents: identifiers (such as email and Google account identifier), commercial information (subscription and billing records), internet or other electronic network activity information (request telemetry, hashed IP, user-agent, referer), geolocation information (approximate country from IP), and inferences drawn from the above for product and security purposes. We collect this information for the business purposes described in “How we use information” above and disclose it to the service providers listed in “Service providers we share data with.”

We have not sold or “shared” (as defined in the CCPA) personal information in the past twelve months, and we do not sell or share personal information. We do not use or disclose sensitive personal information for any purpose that would give California residents a right to limit such use.

California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, and the right to be free from discrimination for exercising these rights. To submit a request, email admin@glitchlabs.io. We will verify your request by matching the information you provide to information already associated with your account.

We use industry-standard administrative, technical, and physical safeguards to protect your information — including TLS in transit, encryption at rest by our cloud providers, least-privilege access controls, and one-way hashing of IP addresses where we retain them. No system is perfectly secure; we cannot guarantee the absolute security of any information you transmit to us, and you provide it at your own risk.

We may update this Privacy Policy from time to time. If we make material changes, we will revise the “Last updated” date at the top and, where appropriate, give you additional notice (for example, by email or an in-app notice). Your continued use of the Services after the changes take effect constitutes acceptance of the updated policy.

Questions, comments, or requests about this Privacy Policy can be directed to admin@glitchlabs.io.