Privacy Policy
Last updated: 21 May 2026
Data controller: Black Bear Studio — blackbear.so Product: Glacier — getglacier.ai Privacy contact: hello@getglacier.ai
1. Data we collect
Account data
When you sign up or sign in, Clerk (our authentication provider) collects and stores your email address, name, and OAuth profile information (e.g. from Google). We receive a user ID and basic profile from Clerk to associate your account with your workspace.
Workspace content
Any data you create in Glacier — cards, columns, documents, comments, labels, and project settings — is stored in our database and associated with your workspace.
Usage analytics
We use Vercel Web Analytics (privacy-preserving, no cookies, no cross-site tracking) to measure aggregate page views and performance metrics. No individual-level tracking data is stored.
Technical data
Standard server logs including IP addresses, timestamps, and request metadata. Retained for up to 30 days for security and debugging purposes.
Payment data
If you subscribe to a paid plan, payment is processed by Stripe, Inc. Stripe collects and stores your payment method details directly; we do not receive or store full card numbers. We receive and retain the following from Stripe:
- Billing name and email address
- Last four digits of payment card (for invoice display)
- Country and postal code (for tax purposes)
- Subscription status, plan, and renewal dates
- Stripe customer ID and invoice history
This data is processed under the contract legal basis (GDPR Article 6(1)(b)) and retained for as long as your account is active plus any period required by tax and accounting law (typically 7–10 years depending on jurisdiction).
2. How we use your data
We use your data exclusively to:
- Provide and operate the Glacier service
- Authenticate you and manage your workspace
- Send transactional emails (invitations, notifications) via Postmark
- Monitor service health and debug issues
- Comply with legal obligations
We do not use your workspace content for AI model training. We do not sell your data to third parties.
3. Legal basis (GDPR)
For users in the European Economic Area (EEA), we process your data under the following legal bases:
| Data type | Legal basis |
|---|---|
| Account data | Performance of a contract (Article 6(1)(b)) |
| Workspace content | Performance of a contract (Article 6(1)(b)) |
| Analytics | Legitimate interest — service improvement (Article 6(1)(f)) |
| Security logs | Legitimate interest — fraud prevention (Article 6(1)(f)) |
| Payment data | Performance of a contract + legal obligation (Article 6(1)(b), 6(1)(c)) |
| Marketing emails | Consent (Article 6(1)(a)) — only if you opt in |
4. Data storage and hosting
| Component | Provider | Location |
|---|---|---|
| Application | Vercel | Edge / US |
| Database | Neon (Postgres) | AWS eu-west-1 (EU) |
| File storage | Cloudflare R2 | Global edge |
| Authentication | Clerk | US / EU |
| Postmark | US | |
| Payment processing | Stripe | US / EU |
We use standard contractual clauses (SCCs) for international transfers where required under GDPR.
5. Third-party processors
We work with the following sub-processors:
| Processor | Purpose | Privacy policy |
|---|---|---|
| Clerk | Authentication and user management | clerk.com/privacy |
| Vercel | Application hosting and analytics | vercel.com/legal/privacy-policy |
| Neon | Postgres database hosting (EU) | neon.tech/privacy |
| Postmark | Transactional email delivery | postmarkapp.com/privacy-policy |
| Cloudflare | File storage (R2) | cloudflare.com/privacypolicy |
| Stripe | Payment processing and billing | stripe.com/privacy |
All processors are bound by data processing agreements and are GDPR-compliant.
Stripe as a data processor. When you subscribe, Stripe processes your payment data as a data processor acting on our behalf under a Data Processing Agreement. Stripe is certified to the EU–US Data Privacy Framework. Your payment information is encrypted in transit and at rest. Stripe does not receive access to your Glacier workspace content.
EU data residency. Glacier's primary database (Neon Postgres) is hosted in the AWS eu-west-1 (Ireland) region. Workspace content — cards, documents, comments, and project data — is stored within the EU.
6. MCP server data handling
Glacier exposes an MCP (Model Context Protocol) server that allows AI agents (such as Claude) to read and write your workspace content.
- API key auth: When you use an API key to connect an MCP client, that key grants access scoped to your workspace only. Your data is never accessible to other users via MCP.
- OAuth auth: OAuth tokens are scoped to the workspace and projects you authorised at consent time.
- What AI agents can access: Only the data you have permission to access in the Glacier web app. There is no elevated privilege via MCP.
- We do not log or store MCP request content beyond standard server access logs (retained 30 days).
7. Data retention
| Data type | Retention period |
|---|---|
| Account and workspace data | For the lifetime of your account |
| Server logs | 30 days |
| Deleted workspace content | 30 days after deletion, then permanently removed |
| Closed accounts | 30 days after closure, then permanently removed |
8. Your rights (GDPR)
If you are in the EEA, you have the following rights:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restriction — ask us to limit processing of your data
- Objection — object to processing based on legitimate interest
To exercise any of these rights, contact us at hello@getglacier.ai. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority. In Italy, this is the Garante per la protezione dei dati personali.
9. Cookies and analytics
Glacier uses:
- Session cookies set by Clerk for authentication (strictly necessary, no consent required)
- Vercel Web Analytics — no cookies, no fingerprinting, privacy-preserving aggregate metrics only
We do not use advertising cookies, third-party tracking pixels, or behavioural analytics.
10. Children's privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us at hello@getglacier.ai and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and notify you of material changes by email or via a notice in the Service.
12. Contact
For privacy questions, requests, or complaints:
Black Bear Studio hello@getglacier.ai blackbear.so