Privacy Policy

GlueArrow — Privacy Policy

Document identifier: GA-PRIV-1.0 · Effective date: 2026-04-24 · Last updated: 2026-04-24

---

1. Who We Are

GlueArrow Inc. is a Delaware corporation headquartered at 1111B S Governors Ave # 50266, Dover, DE 19904, United States ("GlueArrow", "we", "us").

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our websites (gluearrow.com, docs.gluearrow.com, and related properties), use our cloud services, install our Box OS software, or otherwise interact with us.

For questions or to exercise the rights described below, contact privacy@gluearrow.com.

2. Summary at a Glance

What	How long	Why
Account information (name, email, phone, role)	While account is active + 24 months	Operate your account, support you
Authentication and session data	Short-lived (24 hours typical)	Sign you in securely
Broadcast operational metadata (schedules, ad campaigns, station configuration)	While account is active + 7 years	Run your station, regulatory record-keeping
Proof-of-play records	7 years	Advertiser billing, royalty distribution
Detection metadata (compact representations of broadcast content)	7 years	Power proof-of-play, music recognition
Service usage logs (IP, device, page views)	12 months	Security, fraud prevention, product analytics
Cookies and similar technologies	See Section 9	Essential site function and limited analytics

We do not record or transmit raw broadcast audio to our cloud unless you explicitly enable an audio archival feature. Detection metadata is compact and non-reversible.

3. Personal Data We Collect

3.1 Information you provide

• Account information: name, email address, phone number, organization name, role, license key.
• Profile information: profile photo, biographical details, voice samples (only if you enable speaker calibration), trust score data.
• Payment information: billing address and payment method, processed by our payment processor; we do not store full card numbers on our servers.
• Communications: messages you send to support, sales, or security teams.

3.2 Information we collect automatically

• Device and connection data: IP address, browser user agent, operating system, time zone, approximate location derived from IP.
• Usage data: pages visited, features used, broadcast sessions, click events.
• Diagnostic data: crash reports, latency metrics, error events from the Box OS engine.

3.3 Information from third parties

• Identity providers: if you sign in via SAML/SSO or OTP delivered by WhatsApp, we receive the identifiers your provider releases.
• Music identification services: when station audio is identified, we may receive metadata about identified tracks from third-party catalog providers.
• Public records: for our verification products, we may match information against public registries.

4. How We Use Personal Data

We process personal data for the following purposes:

• Provide the service: authenticate you, run your broadcast operations, deliver ads, log proof-of-play, sync schedules, deliver software updates.
• Customer support: respond to your questions, troubleshoot issues, communicate service notices.
• Billing: invoice for fees, distribute royalty payments, handle refunds.
• Security and fraud prevention: detect abuse, investigate suspicious activity, enforce our terms.
• Product improvement: analyze aggregate usage to improve features and reliability.
• Legal compliance: comply with applicable law, respond to lawful requests, defend legal claims.
• Regulatory record-keeping: retain proof-of-play and broadcast logs as required by broadcast and advertising regulations.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

5. Legal Basis for Processing (EEA / UK)

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

Purpose	Legal basis
Provide the service to you	Contract (Article 6(1)(b))
Customer support and billing	Contract / Legitimate interests (Article 6(1)(b) / 6(1)(f))
Security and fraud prevention	Legitimate interests (Article 6(1)(f))
Product analytics	Legitimate interests (Article 6(1)(f)); consent where required
Compliance with law	Legal obligation (Article 6(1)(c))
Marketing communications (where applicable)	Consent (Article 6(1)(a))

You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

6. Sharing and Sub-Processors

We share personal data only with the following categories of recipients:

• Service providers (sub-processors) that process data on our behalf to deliver the service. The current list is published at https://gluearrow.com/legal/dpa#schedule-2-sub-processors. As of the effective date, our principal sub-processors include:
  • Google Cloud Platform LLC (United States) — primary cloud infrastructure
  • Anthropic, PBC (United States) — optional AI assistance features
  • AudD Tools FZ-LLC (United Arab Emirates) — optional music identification fallback
  • Restream, Inc. (United States) — optional multi-destination streaming
• Affiliates within the GlueArrow corporate group, subject to the protections of this Policy.
• Professional advisors (lawyers, accountants, auditors) under confidentiality obligations.
• Authorities when required by valid legal process or to protect rights, safety, or property.
• Successors in connection with a merger, acquisition, or sale of all or part of our business, with notice to affected users.

We do not transfer personal data to any party in violation of this Policy or applicable law.

7. International Data Transfers

We are based in the United States. Personal data may be processed in the United States, the European Union, or other jurisdictions where our service providers operate. Where we transfer personal data from the EEA, the United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision, we use the European Commission's Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum where applicable, supplemented by additional safeguards as appropriate.

A copy of the relevant transfer mechanism is available on request from privacy@gluearrow.com.

8. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, plus any additional period required by law. Specific retention periods are summarized in Section 2. Proof-of-play records and broadcast logs are retained for 7 years to satisfy advertising and broadcast regulatory requirements.

When data is no longer needed, we either delete it or irreversibly anonymize it.

9. Cookies and Similar Technologies

We use a small number of cookies and equivalent client-side storage to provide essential site functionality (authentication, session management, theme preference) and to measure aggregate usage. Where required by law, we obtain consent before setting non-essential cookies. You can manage cookies via your browser settings.

We do not use third-party advertising cookies on our principal websites.

10. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Access — obtain a copy of the personal data we hold about you;
• Rectification — correct inaccurate or incomplete data;
• Erasure — request deletion, subject to legal retention obligations;
• Restriction — limit how we process your data;
• Portability — receive your data in a structured, machine-readable format;
• Objection — object to processing based on legitimate interests;
• Withdraw consent — where processing is based on consent;
• Complaint — lodge a complaint with your local data protection authority. In the EEA, you may identify your authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK, contact the Information Commissioner's Office at https://ico.org.uk.

To exercise any of these rights, email privacy@gluearrow.com from the email address associated with your account, or include sufficient information to verify your identity.

For California residents, additional rights are described in Section 11.

11. California Residents (CCPA / CPRA)

In the past 12 months, we have collected the categories of personal information described in Section 3 from the sources described in Section 3, for the purposes described in Section 4, and have disclosed personal information to the categories of recipients described in Section 6 for service delivery purposes only.

We do not sell or share personal information for cross-context behavioral advertising as defined under the CPRA.

California residents may exercise the rights described in Section 10, plus the right to non-discrimination for exercising those rights. To submit a request, email privacy@gluearrow.com.

12. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS 1.2 minimum), least-privilege access controls, audit logging, and secure software supply chain practices. Our complete security posture is described in the Security Whitepaper at https://docs.gluearrow.com/security-whitepaper.

To report a security vulnerability, email security@gluearrow.com (PGP key on request).

13. Children's Privacy

Our services are not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If you believe we have collected such data, contact privacy@gluearrow.com and we will promptly delete it.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by posting the revised Policy at https://gluearrow.com/legal/privacy and, where required by law, by direct notice to affected users. The "Last updated" date at the top of this Policy reflects the most recent revision.

15. Contact

• Privacy inquiries: privacy@gluearrow.com
• Security inquiries: security@gluearrow.com
• Postal address: GlueArrow Inc., 1111B S Governors Ave # 50266, Dover, DE 19904, United States
• EU representative (if applicable): to be appointed when our EU customer base requires designation under Article 27 GDPR.

---

GlueArrow Inc. — 1111B S Governors Ave # 50266, Dover, DE 19904, United States