Privacy Policy

Glimbo (“we,” “us,” or “our”) operates the Glimbo Discord bot and the Glimbo web app at glimbo.app (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and what rights you have.

We aim for two things in how we treat your data: collect only what we need to run the Service, and respect your settings — including settings you change later.

This policy is written to comply with the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and other applicable privacy laws.

For purposes of GDPR, UK GDPR, and similar laws, Glimbo is the “data controller” of personal data we collect through the Service. You can contact us about your data at:

• Privacy and data requests: [email protected]
• EU representative (if required): to be appointed prior to scaled launch in the EEA

We collect the minimum data needed to run the Service. We do not buy data about you from third parties. We do not run third-party advertising on the Service. We do not sell your personal information.

The most sensitive data we process is your likeness — your Discord avatar — when you opt in to AI-generated card art that uses you as a visual reference. We treat this with extra care:

• Opt-in only. Both “Include me as a card subject” and “Use my likeness in card art” are off by default. You must turn them on explicitly.
• Stylized output only. Our prompts and post-generation filters reject photorealistic outputs. The intent is artistic interpretation, not replication.
• No training on your data. We use AI providers in inference mode. We do not consent to those providers using your data to train their foundation models, and we configure their APIs accordingly where the option exists.
• Revocation. You can revoke either consent at any time in your profile settings. Revocation stops new generation immediately and removes existing cards depicting you from public-facing surfaces within 7 days upon request.
• No payment for your likeness. No part of any user’s payment to Glimbo constitutes payment for your likeness. (See Terms § 8.)

We use the data we collect to:

• provide the Service and its features (card pulls, market, profile, etc.);
• generate card art and lore when you and other involved users have opted in;
• respect your privacy choices (the toggles in your profile settings);
• detect and prevent abuse, fraud, and Terms violations;
• communicate with you about service changes or account issues;
• comply with legal obligations.

We do not use your data to:

• train large language models or generative AI foundation models;
• target you with third-party advertising;
• profile you across the web or share your activity with data brokers;
• contact you outside Discord without your consent.

We do not sell or rent your personal data. We share limited data with the following sub-processors only as necessary to operate the Service:

We may also disclose data when required by law, court order, or valid governmental request, or to defend our legal rights. We will challenge overbroad requests where appropriate and notify you of legal demands unless prohibited from doing so.

We process data in the European Union (primary hosting) and the United States (Discord, Google, Stripe). For transfers from the EEA or UK to the United States or other jurisdictions without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, plus supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging).

You may request a copy of the safeguards in place by emailing [email protected].

• Account data (Discord ID, settings, cards, balance): retained while your account is active and for 30 days after deletion to honor reversals;
• Generated cards: retained as long as they are owned by an active user, or scrubbed from public surfaces within 7 days of an owner’s or subject’s deletion request;
• Consent logs: retained for 6 years (statute of limitations) for compliance evidence, in a minimized form that cannot be linked to advertising IDs;
• Payment records: retained as required by applicable tax and financial law (typically 7 years);
• Diagnostic logs: auto-pruned after 30 days;
• Reference images for AI generation: cached for up to 90 days for re-generation workflows, then purged.

We use commercially reasonable safeguards to protect your data, including:

• encryption in transit (TLS 1.2+) and at rest;
• access controls limiting database access to a small number of named operators;
• application-layer rate limiting and abuse detection;
• regular backups with encryption;
• security event logging and review;
• responsible disclosure program — report vulnerabilities to [email protected].

No system is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you and applicable supervisory authorities as required by law, typically within 72 hours of confirmation.

Depending on where you live, you have some or all of the following rights regarding your personal data:

• Access — receive a copy of the data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data (subject to legal retention requirements)
• Restriction — limit how we process your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdrawal of consent — for any processing that relies on your consent
• Non-discrimination (CCPA/CPRA) — we will not treat you differently for exercising these rights
• Complaint to a supervisory authority (GDPR / UK GDPR) — you may lodge a complaint with the data protection authority in your country

To exercise any of these rights, use the controls in your profile settings (one-click export and deletion) or email [email protected]. We will respond within 30 days (extendable by 60 days for complex requests, with notice).

We may need to verify your identity (typically by confirming control of the linked Discord account) before fulfilling certain requests.

Glimbo is intended for users 13 years and older (16 in the EEA / UK, or as required by local law). We do not knowingly collect personal data from anyone below those ages. If you believe a child has provided personal data to us, please email [email protected] and we will delete it promptly.

Users between the minimum age and the age of majority require parental or guardian consent (see Terms § 9.7 for likeness-related restrictions applicable to minors).

If you are a California resident, you have additional rights:

• Right to know: We collect the categories of personal information listed in Section 3. We collect for the purposes listed in Section 5. We share with the sub-processors listed in Section 6.
• Right to delete: Use the deletion option in your profile or email [email protected].
• Right to correct: Same as above.
• Right to opt out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information: We treat your likeness as sensitive and only use it under your explicit opt-in consent, never for inferring characteristics about you.
• Right to non-discrimination: We will not penalize you for exercising these rights.

To submit a verifiable consumer request, email [email protected]. An authorized agent may submit on your behalf with documentation of authority.

If you are in the European Economic Area, the United Kingdom, or Switzerland, the rights listed in Section 10 apply under the GDPR, UK GDPR, or Swiss FADP respectively. The legal bases for our processing are listed in the Section 3 table. You may lodge a complaint with your local supervisory authority — for the EEA, the authority in your Member State of habitual residence; for the UK, the Information Commissioner’s Office (ICO) at ico.org.uk.

The Glimbo web app uses a small number of strictly necessary cookies (session, authentication, security) and does not use third-party advertising cookies. We do not embed advertising trackers, social media pixels, or non-essential analytics on the Service.

We may use first-party, privacy-preserving usage analytics (e.g., to measure aggregate page-view counts) without identifying you personally. You can block all non-essential cookies using your browser settings without affecting your ability to use the Service.

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or by a notice in the Service) before the changes take effect, and we will bump the consent version, which may require you to re-affirm your consent on next sign-in. Older versions are archived; email [email protected] to request a copy.

To contact us about this Privacy Policy or to exercise your rights:

• Privacy: [email protected]
• Content reports and takedowns: [email protected]
• Security incidents: [email protected]
• General support: [email protected]

You can also use the in-app controls in your profile settings to export your data, change consent, or delete your account.