Glowdun.AI

Privacy Policy

Last updated: April 19, 2026

Glowdun.AI (“Glowdun,” “we,” “us”) provides an AI cost intelligence platform for finance teams. This policy describes what we collect, how we use it, who we share it with, and the controls you have over your data. If you're evaluating Glowdun for procurement, we also maintain a Trust & Security page with the specific technical and policy details.

1. What we collect

Three categories of data flow through Glowdun.AI:

  • Account & organization data. Name, work email, bcrypt-hashed password, company name, optional headcount and annual revenue (used only for peer benchmarks), and team / attribution configuration you create inside the product.
  • Provider credentials. When you connect a provider (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, Google Vertex AI, OpenRouter), you provide an API key, IAM credentials, or service-account JSON. These are encrypted at rest using AES-256-GCM with a key that never leaves our server. We use these credentials only to read cost and usage data from the provider on your behalf.
  • Cost & usage data. Billing periods, billed cost, token counts (input / output / cached / reasoning), model IDs, provider names, and the team/tag/API-key hash attributions you configure. This is what powers the dashboards, reports, and journal-entry exports. We do not read, store, or transmit the content of your prompts, completions, or any user inputs sent to the underlying AI providers.

2. How we use it

  • To run the product: sync your providers, compute cost metrics, render dashboards and reports, and trigger the alerts you configure.
  • To send operational email you opted into (cost alerts, password reset, weekly digest).
  • To debug problems and improve the product. Aggregated, non-identifying metrics may be used internally to prioritize features; we do not sell, rent, or trade your data, and we do not use your cost data to train models.

3. Sub-processors

Glowdun.AI uses the following sub-processors to operate the service. Each has its own security posture and data-processing terms. We update this list when sub-processors change.

  • Vercel, Inc. — application hosting and edge runtime (US region).
  • Prisma Data Platform / our managed Postgres provider — primary database (US region).
  • Resend. — transactional email delivery (alerts, digests, password reset).
  • Sentry. — error monitoring. Scrubbed of tokens and credentials.
  • Your chosen AI providers.When you connect a provider, Glowdun calls that provider's API on your behalf using the credential you supply. Those providers are not Glowdun sub-processors — they're your vendors.

4. Security

  • All traffic is served over HTTPS with HSTS.
  • Provider credentials are AES-256-GCM encrypted at rest.
  • User passwords are bcrypt-hashed; we never store plaintext passwords.
  • Email addresses are AES-256-GCM encrypted at rest; lookups use a SHA-256 hash.
  • Every provider add, alert-threshold change, and API-key rotation is recorded in a per-organization audit log, exportable as CSV for SOC 2 evidence.
  • We are targeting SOC 2 Type I attestation in Q3 2026. Interim: we can provide a security questionnaire and the standard mutual NDA on request.

5. Data location & retention

Data is stored on US-region infrastructure. We retain your cost events and audit log for the lifetime of your account. On account deletion, we purge your data within 30 days, retaining only minimal billing records as required by applicable tax law.

6. Your rights (GDPR / CCPA)

Regardless of where you're based, you have the right to access, correct, export, or delete your personal data, and to object to or restrict our processing of it. Email privacy@glowdun.ai and we'll respond within 30 days.

7. DPA

A Data Processing Agreement (DPA) is available on request. Email privacy@glowdun.ai and we'll send you our standard template — we accept signature via DocuSign or a countersigned PDF.

8. Changes to this policy

Material changes (new sub-processors, new data categories, retention changes) are communicated by email to organization admins at least 30 days before they take effect. Non-material clarifications are timestamped above and pushed without separate notice.

9. Contact

Privacy questions, DPA requests, data access/deletion requests: privacy@glowdun.ai