Privacy Policy — Glint

Last updated: May 13, 2026

Entity information: GLINT SASU, SIREN 104 088 703, Niort Trade and Companies Register, share capital €2,000, registered office at 18 Chemin de la Futaie 79200 Pompaire. Holding: AIRAULT & CO SAS, SIREN 103 077 202, Niort Trade and Companies Register.

1. Introduction

This Privacy Policy (the "Policy") describes how GLINT, a French simplified joint-stock company with sole shareholder (SASU) with share capital of 2,000 euros, with its registered office at 18 Chemin de la Futaie, 79200 Pompaire, France, registered with the Niort Trade and Companies Register under number 104 088 703, represented by its President AIRAULT & CO (SAS, SIREN 103 077 202) ("Glint", "we", "our" or "us") collects, processes, stores and shares the personal data of individuals who use its services (the "Services"), accessible through the website glintdata.io, the Glint mobile application and the enterprise portal (collectively, the "Platform").

Glint operates a paid human data collection platform that connects two categories of users:

Contributors: adult individuals who perform data capture missions (photos, videos, audio, screen-and-voice sessions) in exchange for compensation;
Clients: businesses (notably AI labs, robotics companies and world-model builders) that order and acquire datasets produced via the Platform.

Glint is committed to native compliance with Regulation (EU) 2016/679 ("GDPR"), the French Data Protection Act of January 6, 1978 as amended ("Loi Informatique et Libertés") and Regulation (EU) 2024/1689 ("AI Act").

We reserve the right to amend this Policy at any time. Any material change will be notified to you by email at the address associated with your account and/or via an in-app notice prior to the effective date of the change. Continued use of the Services after the effective date constitutes acceptance of the revised version.

2. Data controller and contact

The data controller is:

GLINT (SASU) 18 Chemin de la Futaie, 79200 Pompaire, France SIREN: 104 088 703 — Niort Trade and Companies Register Share capital: €2,000 Represented by its President: AIRAULT & CO (SAS, SIREN 103 077 202) Email: privacy@glintdata.io

For any question regarding the protection of your data or the exercise of your rights, please contact us at privacy@glintdata.io with the subject line "GDPR".

Glint is not currently required to appoint a Data Protection Officer (DPO) under article 37 of the GDPR. This obligation will be reassessed once regular and systematic monitoring of Contributors at large scale becomes effective.

3. Scope

This Policy applies to anyone who:

visits glintdata.io or related subdomains;
creates a Contributor account on the Glint mobile application or website;
creates a Client account on the Glint enterprise portal;
performs a data capture mission on behalf of Glint;
orders, downloads or uses a dataset delivered by Glint;
interacts with Glint via email, contact form or any other official channel.

This Policy does not apply to third-party services you may use alongside the Platform (notably banking services, Stripe, PayPal, Google, Apple, telecom carriers, etc.). Such services are governed by their own privacy policies, which we encourage you to read.

4. Data we collect

4.1 Data you provide

4.1.1 Account and profile data (Contributors and Clients)

First and last name, username
Email address
Password (stored encrypted, never in clear text)
Phone number
Date of birth (verification of age of majority)
Country and city of residence
Profile picture (optional)
Spoken language(s)
Login credentials via third-party provider (Google, Apple) where applicable

4.1.2 Contributor-specific data

Identity document: copy of a valid identity document (national ID card, passport, residence permit) for age verification, KYC and fraud prevention
Banking information: IBAN, BIC or Stripe/PayPal identifiers for payouts
Tax data: status (sole proprietor where applicable), tax ID if applicable, country of tax residence
Professional information: occupation, specific skills, languages spoken, equipment (smartphone model)
Postal address: only if necessary for the delivery of specialized capture equipment or for tax purposes
Balance and earnings history: amounts earned, missions completed, withdrawals made
Contributor level: Starter, Confirmed, Expert or Ambassador
Moderation history: warnings, suspensions, exclusions where applicable

4.1.3 Content submitted by Contributors ("Submitted Content")

When you perform a mission, you submit content to the Platform that may include personal data:

Photo, video, audio files captured as part of missions
Screen-and-voice sessions: screen captures with voice annotations
EXIF/IPTC metadata: date and time of capture, device model, technical settings, geolocation (if enabled on the device)
Contextual metadata: personal description of the scene, tags, environment context, intent/action in progress, as filled in by you
Files potentially containing images of third parties, voices, license plates, personal documents: it is your responsibility to obtain the prior written consent of any identifiable person appearing in your Submitted Content (see Section 6.4)

4.1.4 Client-specific data

Company name, legal form, identification number (SIREN, VAT, EIN, etc.)
Billing and registered office address
Contact details of the technical and commercial contact (name, position, email, phone)
Payment information (credit card, IBAN, Stripe identifiers)
Order history, datasets downloaded, invoices issued

4.1.5 Communications

Any content you send us through privacy@glintdata.io, the contact form, in-app chat, WhatsApp or any other official communication channel, including any attachments.

4.2 Data collected automatically ("Technical Data")

When you access the Platform, we automatically collect:

Connection data: IP address, ISP, connection logs, dates and times of access
Device data: device type, operating system and version, advertising identifier where applicable, browser language
Usage data: pages viewed, missions browsed, time spent, clicks, navigation paths, features used, errors encountered
Mobile app data: installed version, app events (open, crash), enabled push notifications
Cookies and trackers: see Section 7

4.3 Data received from third parties

Third-party authentication: if you log in via Google, Apple or another provider, we receive the profile information they share with us (email, name, user ID, picture)
Identity verification: KYC is handled natively by Stripe Connect during Contributor onboarding. Stripe collects the ID document, verifies the address, screens against sanctions lists, and transmits the result to us (status validated/refused, reasons).
Social networks: if you interact with our social pages (LinkedIn, X, Instagram, TikTok), we may receive limited profile data based on your privacy settings
Partners: as part of referral programs or partnerships, we may receive your contact details if you have consented
Public sources: for B2B prospecting or background checks, we may consult public sources (professional LinkedIn, trade registers, specialized press)

5. Purposes, legal bases and retention periods

In accordance with article 6 of the GDPR, each data processing activity relies on an identified legal basis. The table below summarizes the main purposes, legal bases and retention periods.

Purpose	Data concerned	Legal basis	Retention period
Creation and management of Contributor or Client account	Account, profile, login credentials	Performance of contract (art. 6.1.b GDPR)	Duration of the account + 3 years after last activity
Identity verification (KYC) and fraud prevention	ID document, photo, verification data	Legal obligation (art. 6.1.c GDPR) — anti-fraud, anti-money-laundering	5 years from account closure (art. L.561-12 French Monetary and Financial Code)
Performance and payment of missions	Submitted Content, banking data, earnings, taxes	Performance of contract (art. 6.1.b GDPR)	Payment data: 10 years (accounting obligation); Submitted Content: see Section 5.1
License and transmission of datasets to Clients	Enriched Submitted Content, pseudonymized metadata	Performance of contract (art. 6.1.b GDPR) + Explicit Contributor consent (art. 6.1.a GDPR)	See Section 5.1
Automatic AI enrichment of Submitted Content	Files, metadata	Legitimate interest (art. 6.1.f GDPR) — dataset value creation	Same as Submitted Content
Platform security, access logs, intrusion detection	Technical data, logs	Legitimate interest (art. 6.1.f GDPR)	12 months max (CNIL recommendation)
Service communications (notifications, invoices, alerts)	Email, phone, account data	Performance of contract (art. 6.1.b GDPR)	Duration of the account
B2B commercial prospecting	Professional contact details	Legitimate interest (art. 6.1.f GDPR) — professional prospecting	3 years from last contact
Marketing and newsletters (B2C)	Email	Consent (art. 6.1.a GDPR)	Until withdrawal of consent, no longer than 3 years after last contact
Analytics and audience measurement cookies	Non-essential cookies	Consent (art. 6.1.a GDPR)	13 months max
Responses to GDPR requests	Data necessary for processing the request	Legal obligation (art. 6.1.c GDPR)	3 years after processing the request
Litigation and legal defense	Relevant data	Legitimate interest (art. 6.1.f GDPR)	Applicable limitation period (typically 5 years)

5.1 Special case: retention of Submitted Content and delivered datasets

The specificity of Glint's model imposes a particular retention regime that we wish to make explicit:

Before quality control validation: raw Submitted Content is kept on Glint's servers for the time necessary for validation, up to 30 days after submission. Rejected files are deleted no later than 30 days after rejection notice.
After validation and delivery to a Client: the license granted by the Contributor to Glint, and by Glint to the Client, is granted on a perpetual and irrevocable basis, within the limits defined by the Contributor License (see Section 8 and the Terms of Service). Delivered datasets may be used by Clients to train and improve their AI models beyond the closure of the Contributor's account or any subsequent deletion request, within the limits provided by law and your explicit consent collected at registration.
Right to object for future missions: at any time, a Contributor may withdraw consent and request deletion of their data. Such withdrawal takes effect for all future missions but does not affect the license of datasets already delivered to Clients in good faith. See Section 6.
Retention of Submitted Content on Glint's servers after delivery: raw Submitted Content is deleted from Glint's servers no later than 90 days after delivery of the dataset to the Client, unless a specific contractual retention clause has been agreed with a Client (e.g., for audit, re-delivery or quality monitoring).

Articulation with the right to erasure (art. 17 GDPR). The legal basis for processing Submitted Content is the Contributor's explicit consent collected at submission, complemented by performance of contract. The irrevocability of the license concerns the use of Datasets already delivered to Clients in good faith, and not the Contributor's right to obtain deletion of their directly identifying personal data (name, email, IBAN, ID document), which remain deletable upon request in accordance with Section 6.

6. Your rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights over your personal data:

6.1 Right of access (art. 15)

You may obtain confirmation that data concerning you is being processed and obtain a copy of such data and information about its processing.

6.2 Right to rectification (art. 16)

You may request the correction of inaccurate or incomplete data concerning you. You can also update most of your profile data directly from your account.

6.3 Right to erasure (art. 17)

You may request the deletion of your data in the cases provided for by the GDPR, in particular when the data is no longer necessary for the purposes, when you withdraw your consent, or when you object to the processing.

Limitations specific to the Glint model:

deletion of your data does not extend to Submitted Content already delivered to Clients as part of datasets, in accordance with the granted license and Section 5.1;
we are required to retain certain data to meet our legal obligations (accounting, KYC, anti-fraud) for the periods indicated in Section 5;
data present in encrypted technical backups is deleted as part of the backup rotation cycle (typically 30 to 90 days).

6.4 Right to restriction of processing (art. 18)

In the cases provided for by the GDPR, you may request that the processing of your data be restricted (suspended without deletion).

6.5 Right to portability (art. 20)

You may receive your data in a structured, commonly used and machine-readable format, and ask us to transmit it directly to another controller where technically feasible.

6.6 Right to object (art. 21)

You may object at any time, on grounds relating to your particular situation, to processing based on legitimate interest. You may also object at any time and without justification to the processing of your data for direct marketing purposes.

6.7 Right to withdraw consent (art. 7.3)

Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out beforehand.

6.8 Rights regarding automated decisions (art. 22)

You have the right not to be subject to a decision based solely on automated processing producing legal effects or significantly affecting you in a similar manner. Glint uses automated systems for technical pre-quality control of Submitted Content, AI enrichment, and preliminary fraud detection. Any decision significantly affecting a Contributor (suspension, exclusion, refusal of payment, level demotion) is subject to human review prior to execution.

6.9 Right to set post-mortem directives

Pursuant to article 85 of the French Data Protection Act, you have the right to set directives regarding the fate of your data after your death.

6.10 How to exercise your rights

You can exercise your rights by sending an email to privacy@glintdata.io with the subject "GDPR" and the nature of your request. For security reasons, we may ask you to verify your identity before acting on your request.

We undertake to respond to your request within one month of receipt. This period may be extended by an additional two months in case of particular complexity, in which case we will inform you accordingly.

6.11 Right to lodge a complaint with the CNIL

If, after contacting us, you believe your rights are not respected, you may lodge a complaint with the French Data Protection Authority:

CNIL 3 place de Fontenoy TSA 80715 75334 Paris Cedex 07 www.cnil.fr

7. Cookies and trackers

7.1 What is a cookie?

A cookie is a small text file placed on your device when you visit a website or use an application. It allows your device to be recognized, your preferences to be remembered or your behavior to be analyzed.

7.2 Categories of cookies used

Category	Purpose	Legal basis	Duration
Strictly necessary cookies	Authentication, session, security, load balancing	Legitimate interest / Performance of contract	Session or 13 months max
Audience measurement cookies	Anonymized usage analysis (Vercel Analytics, equivalents)	Consent (except CNIL exemption for strictly internal anonymized analysis)	13 months max
Functional cookies	Memorization of your preferences (language, settings)	Consent	13 months max
Marketing / advertising cookies	Glint does not use third-party advertising cookies at this stage	N/A	N/A

7.3 Cookie management

On your first visit to the Platform, a cookie banner allows you to accept, refuse or customize the deposit of non-essential cookies. You can change your preferences at any time via the cookie management module accessible from the site footer.

You can also configure your browser to block or delete cookies. This configuration may impair the operation of the Platform.

The exhaustive list of cookies actually deposited (name, provider, purpose, duration) is kept up to date in the cookie banner accessible on the site. In accordance with CNIL recommendations, the "Refuse" button is as visible as the "Accept" button.

8. Recipients and processors

Your data may be communicated to the following categories of recipients, strictly to the extent necessary to fulfill the purposes described:

8.1 Internally

To employees and authorized collaborators of GLINT, within the limit of their duties (technical team, ops team, customer success team, finance/accounting team).

8.2 To Clients (datasets)

Validated and enriched Submitted Content is transmitted to Clients in the form of datasets, accompanied by technical and contextual metadata. The direct identity of the Contributor is never transmitted to the Client: a pseudonymized identifier (UUID) is used. A correspondence table between the UUID and the actual identity is kept separately, on a strictly restricted-access basis.

8.3 To processors

Glint relies on processors to provide all or part of the Services. Each processor is governed by a processing agreement compliant with article 28 of the GDPR.

Processor	Service category	Server location	Safeguards
Supabase	Database, authentication, file storage	Ireland (European Union)	Supabase DPA, encryption at rest and in transit, no transfer outside the EU
Vercel	Frontend hosting and deployment	Multi-region (EU and US)	Vercel DPA, Standard Contractual Clauses for transfers outside the EU
Google (Gemini API via Google Cloud)	AI enrichment of Submitted Content (description, tags, object detection)	Multi-region (including United States)	Google Cloud Data Processing Addendum (DPA) applicable by law; usage on Paid Tier with active Cloud billing account; Submitted Content is not used by Google to train its own models in accordance with Google's Paid Services terms; Standard Contractual Clauses for transfers outside the EU
Stripe (Stripe Connect, Stripe Identity)	Client payment processing, Contributor payouts and identity verification (KYC) integrated in Stripe Connect	Ireland (EU) and United States	Stripe DPA, Standard Contractual Clauses, AML compliance
PayPal	Contributor payouts (option)	Luxembourg (EU) and United States	PayPal DPA, Standard Contractual Clauses
WhatsApp / Meta	Transactional communication with Contributors (early stage phase)	Multi-region	Meta DPA, Standard Contractual Clauses; usage limited to mission notifications and support
Google Drive / WeTransfer	Secure file transfer in early stage phase (before migration to native infrastructure)	United States	Google Workspace / WeTransfer DPA, Standard Contractual Clauses; limited use, to be replaced by Glint infrastructure
Resend	Sending service emails (invoices, notifications, status updates)	United States (with European servers)	Resend DPA, Standard Contractual Clauses for transfers outside the EU, TLS encryption
Notion (Notion Labs, Inc.)	Storage and management of the registrations submitted through the website waitlist form (name, email, profile information you provide)	United States	Notion DPA, Standard Contractual Clauses for transfers outside the EU, TLS encryption
Cloudflare (Turnstile)	Anti-bot / "CAPTCHA" protection of the website forms; processes your IP address and technical signals to distinguish humans from automated bots	United States (global edge network)	Cloudflare DPA, Standard Contractual Clauses for transfers outside the EU; Turnstile is privacy-oriented and does not use cookies for advertising tracking

This list is subject to change. Any material change will be reflected in this Policy. The processors used at any given time may be communicated to you upon request to privacy@glintdata.io.

8.4 Authorities, advisors and legitimate third parties

Your data may be communicated:

to administrative or judicial authorities when required by law (subpoena, court order);
to our advisors (lawyers, accountants, auditors) under confidentiality obligations;
as part of a transfer, merger or reorganization, to potential acquirers, under confidentiality obligations;
to third parties when necessary to assert our rights or defend ourselves in court.

8.5 No sale of data to third parties for commercial purposes

Glint does not sell or rent your directly identifying personal data (name, email, IBAN, etc.) to third parties for commercial purposes. Datasets delivered to Clients only contain Submitted Content and pseudonymized Contributor identifiers, in accordance with the granted license.

9. Transfers outside the European Union

Some of our processors may process your data outside the European Economic Area, notably in the United States. In such cases, Glint ensures that appropriate safeguards are in place, in accordance with articles 44 to 49 of the GDPR:

Adequacy decision by the European Commission (e.g., the Data Privacy Framework for transfers to the United States for certified entities);
Standard Contractual Clauses approved by the European Commission;
Additional technical measures (encryption, pseudonymization, strict access control);
Transfer Impact Assessments where applicable.

You may request a copy of the applicable safeguards by contacting privacy@glintdata.io.

10. Security

Glint implements appropriate technical and organizational measures to protect your data against unauthorized access, modification, disclosure or destruction:

encryption of data in transit (TLS 1.2+) and at rest (AES-256);
password hashing and salting (bcrypt or Argon2);
role-based access control, principle of least privilege;
logging of access to sensitive data;
network isolation of production environments;
encrypted backups, regularly tested;
periodic security testing and vulnerability monitoring;
training of collaborators on security best practices;
security incident management procedure, in accordance with article 33 of the GDPR (notification to the CNIL within 72 hours and notification to data subjects in case of high risk).

As no measure can guarantee absolute security, you are invited to protect your credentials, use a strong and unique password, enable two-factor authentication when available, and notify us immediately at security@glintdata.io of any suspected compromise of your account.

11. Data concerning minors

The Services are strictly reserved for adults (18 years and over). Glint does not knowingly collect personal data from minors. If we discover that data concerning a minor has been collected without the verified consent of the holders of parental authority, such data will be deleted promptly.

If you believe a minor has provided us with data, please contact us at privacy@glintdata.io.

Contributors expressly undertake not to include images, voices or other identifiable data of minors in their Submitted Content without prior authorization from holders of parental authority. Any Submitted Content containing minor data without justification of authorization will be rejected and may result in suspension or exclusion of the Contributor.

12. Automated decisions and artificial intelligence (AI Act)

In accordance with article 22 of the GDPR and Regulation (EU) 2024/1689 (AI Act), we inform you that Glint uses automated systems and artificial intelligence in several processing activities:

Processing	System used	Underlying logic	Consequences
Technical pre-quality control of Submitted Content	Automated scripts	Verification of format, resolution, duration, metadata	Automatic notification to Contributor in case of failure, possibility of resubmission
Automatic enrichment (description, tags, object detection)	Generative AI and vision models (notably Google Gemini)	Generation of semantic metadata from visual/audio content	No adverse decision against the Contributor; this data enriches the dataset delivered to the Client
Preliminary fraud detection	Algorithms (file hash, reverse image search, metadata coherence check)	Identification of duplicates, stolen content, falsified metadata	In case of suspicion, systematic human review before any sanction
Mission / Contributor matching	Profile and skill filtering algorithms	Suggestion of missions matching the Contributor's profile	No adverse decision; the Contributor remains free to accept or not

No decision producing legal effects or significantly affecting a Contributor or Client is made solely on an automated basis. Human review is always interposed for decisions of suspension, exclusion, refusal of payment or level demotion.

You have the right to obtain human intervention, express your point of view and contest any decision by contacting us at privacy@glintdata.io.

13. Changes to the Policy

We reserve the right to amend this Policy at any time, in particular to reflect changes in legislation, our practices, our processors or the Platform's features.

Any material change will be notified to you by email and/or in-app notification at least 30 days before its entry into force. Continued use of the Services after such date shall constitute acceptance of the revised version.

The date of the latest update is shown at the top of this document.

14. Contact

For any question regarding this Policy or your personal data:

GLINT (SASU) 18 Chemin de la Futaie, 79200 Pompaire, France Email: privacy@glintdata.io (subject: GDPR)

Last updated: May 13, 2026.