Privacy Policy
Last updated: 14 March 2026
Data controller: Black Bear Studio — blackbear.so Product: Glacier — getglacier.ai Privacy contact: hello@getglacier.ai
1. Data we collect
Account data
When you sign up or sign in, Clerk (our authentication provider) collects and stores your email address, name, and OAuth profile information (e.g. from Google). We receive a user ID and basic profile from Clerk to associate your account with your workspace.
Workspace content
Any data you create in Glacier — cards, columns, documents, comments, labels, and project settings — is stored in our database and associated with your workspace.
Usage analytics
We use Vercel Web Analytics (privacy-preserving, no cookies, no cross-site tracking) to measure aggregate page views and performance metrics. No individual-level tracking data is stored.
Technical data
Standard server logs including IP addresses, timestamps, and request metadata. Retained for up to 30 days for security and debugging purposes.
2. How we use your data
We use your data exclusively to:
- Provide and operate the Glacier service
- Authenticate you and manage your workspace
- Send transactional emails (invitations, notifications) via Postmark
- Monitor service health and debug issues
- Comply with legal obligations
We do not use your workspace content for AI model training. We do not sell your data to third parties.
3. Legal basis (GDPR)
For users in the European Economic Area (EEA), we process your data under the following legal bases:
| Data type | Legal basis |
|---|---|
| Account data | Performance of a contract (Article 6(1)(b)) |
| Workspace content | Performance of a contract (Article 6(1)(b)) |
| Analytics | Legitimate interest — service improvement (Article 6(1)(f)) |
| Security logs | Legitimate interest — fraud prevention (Article 6(1)(f)) |
| Marketing emails | Consent (Article 6(1)(a)) — only if you opt in |
4. Data storage and hosting
| Component | Provider | Location |
|---|---|---|
| Application | Vercel | Edge / US |
| Database | Neon (Postgres) | AWS us-east-1 |
| File storage | Cloudflare R2 | Global edge |
| Authentication | Clerk | US / EU |
| Postmark | US |
We use standard contractual clauses (SCCs) for international transfers where required under GDPR.
5. Third-party processors
We work with the following sub-processors:
| Processor | Purpose | Privacy policy |
|---|---|---|
| Clerk | Authentication and user management | clerk.com/privacy |
| Vercel | Application hosting and analytics | vercel.com/legal/privacy-policy |
| Neon | Postgres database hosting | neon.tech/privacy |
| Postmark | Transactional email delivery | postmarkapp.com/privacy-policy |
| Cloudflare | File storage (R2) | cloudflare.com/privacypolicy |
All processors are bound by data processing agreements and are GDPR-compliant.
6. MCP server data handling
Glacier exposes an MCP (Model Context Protocol) server that allows AI agents (such as Claude) to read and write your workspace content.
- API key auth: When you use an API key to connect an MCP client, that key grants access scoped to your workspace only. Your data is never accessible to other users via MCP.
- OAuth auth: OAuth tokens are scoped to the workspace and projects you authorised at consent time.
- What AI agents can access: Only the data you have permission to access in the Glacier web app. There is no elevated privilege via MCP.
- We do not log or store MCP request content beyond standard server access logs (retained 30 days).
7. Data retention
| Data type | Retention period |
|---|---|
| Account and workspace data | For the lifetime of your account |
| Server logs | 30 days |
| Deleted workspace content | 30 days after deletion, then permanently removed |
| Closed accounts | 30 days after closure, then permanently removed |
8. Your rights (GDPR)
If you are in the EEA, you have the following rights:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restriction — ask us to limit processing of your data
- Objection — object to processing based on legitimate interest
To exercise any of these rights, contact us at hello@getglacier.ai. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority. In Italy, this is the Garante per la protezione dei dati personali.
9. Cookies and analytics
Glacier uses:
- Session cookies set by Clerk for authentication (strictly necessary, no consent required)
- Vercel Web Analytics — no cookies, no fingerprinting, privacy-preserving aggregate metrics only
We do not use advertising cookies, third-party tracking pixels, or behavioural analytics.
10. Children's privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us at hello@getglacier.ai and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and notify you of material changes by email or via a notice in the Service.
12. Contact
For privacy questions, requests, or complaints:
Black Bear Studio hello@getglacier.ai blackbear.so