Gleam
    How it worksDeliveryPricingQuestions

    Privacy Policy

    Last Updated: April 24, 2026

    Privacy Policy

    Introduction

    This Privacy Policy describes how Gleam ("we", "us", "our") collects, uses, stores, and protects personal information when you use our digital legacy service (the "Service"). It should be read alongside our Terms of Service, which govern the broader relationship between you and Gleam.

    By using the Service, you consent to the practices described in this Policy. If you do not agree, please do not use the Service.

    1. Information We Collect

    We collect only the information needed to run the Service and honor your wishes:

    • Account information — email address, authentication identifiers, and any profile details you choose to provide.
    • Message content — the letters, notes, and attachments you create for future delivery.
    • Recipient details — the names, email addresses, and any context you supply for the people who will receive your messages.
    • Activity signals — sign-ins, check-in responses, and other signals used to determine whether you remain active. These drive the inactivity-detection process that ultimately triggers message delivery.
    • Payment metadata — information required to process subscriptions (e.g., transaction IDs, plan, billing country). Full card numbers are handled by our payment processor and are not stored by Gleam.
    • Technical logs — IP address, user agent, request timestamps, and similar operational data collected for security, abuse prevention, and debugging.

    2. How We Use Your Information

    We use your information to:

    • Operate the Service, including creating, storing, and eventually delivering your messages.
    • Run inactivity check-ins and, after the three-strike process documented in our Terms, initiate message delivery when you are presumed unreachable.
    • Communicate with you about your account, subscriptions, and material changes to the Service.
    • Comply with legal obligations, enforce our Terms, and prevent fraud or abuse.

    We do not sell personal information. We do not use message content for advertising or for training machine-learning models.

    3. How We Store and Protect Your Information

    Your message content is encrypted at rest on our servers using AES-256-GCM. Encryption keys are managed by Gleam on the server side.

    Important — what this means in practice: the Service is not end-to-end encrypted at this time. Because Gleam holds both the database and the encryption keys, Gleam personnel with sufficient access could, in principle, decrypt stored message content. We treat this as a sensitive matter and enforce strict access controls:

    • Production access is limited to a small set of engineers on a need-to-know basis.
    • We do not read user messages as a matter of policy, and we never use their contents for any purpose other than delivery.
    • Access is auditable and reviewed.

    If we later introduce true end-to-end (client-side) encryption, this Policy will be updated and affected users will be notified.

    Transport is protected with TLS. We apply industry-standard safeguards, but no method of electronic storage or transmission is 100% secure; we cannot guarantee absolute security.

    4. Sharing With Third Parties

    We share personal information only with service providers we need to operate the Service, and only to the extent necessary:

    • Email delivery provider — to send account emails, check-in prompts, and, when appropriate, recipient notifications.
    • Payment processor — to handle subscription billing and related fraud prevention.
    • Hosting and infrastructure providers — to run the Service itself (application hosting, databases, backups).
    • Legal and safety disclosures — if required by applicable law, valid legal process, or to protect the rights, safety, and property of Gleam, our users, or others.

    We do not share personal information with advertisers or data brokers.

    5. Recipients of Your Messages

    When the inactivity-detection process concludes that a message should be delivered, the recipients you designated will receive a notification and, separately, the verification material required to open the message. Recipients are not informed of the message's existence before delivery.

    6. Data Retention

    • Active accounts — we retain your account and content for as long as your account remains active.
    • Deleted messages — removed from storage after deletion, subject to short operational backup windows.
    • Account deletion — when you delete your account, we delete or anonymize your personal information within a reasonable period, except where retention is required by law or needed to resolve disputes.
    • Delivered messages — we retain delivery records (but not the full decrypted content beyond what is needed) for a limited period after delivery for operational and audit purposes.

    7. Your Rights

    Depending on where you live, you may have rights under Quebec's Act respecting the protection of personal information in the private sector (Law 25), the GDPR, or other applicable laws, including:

    • Access — request a copy of the personal information we hold about you.
    • Correction — ask us to correct inaccurate or incomplete information.
    • Deletion — ask us to delete your account and associated personal information.
    • Portability — receive your information in a commonly used, machine-readable format.
    • Withdraw consent — withdraw any consent you previously gave, without affecting prior lawful processing.
    • Complaint — lodge a complaint with your local data protection authority (in Quebec, the Commission d'accès à l'information).

    To exercise these rights, contact us using the details below. We will respond within the timeframe required by applicable law.

    8. International Data Transfers

    Our infrastructure providers may process data in jurisdictions outside Quebec, including elsewhere in Canada, the United States, or the European Union. Where required, we rely on appropriate safeguards (such as contractual protections) for these transfers.

    9. Children's Privacy

    The Service is not intended for individuals under 13 years of age, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take appropriate action.

    10. Cookies and Analytics

    We use strictly functional cookies and similar technologies necessary to operate the Service (authentication, session management, preferences). We do not sell this data or use it for cross-site advertising. If we later add optional analytics, we will disclose it here and, where required, request consent.

    11. Changes to This Policy

    We may update this Privacy Policy from time to time. When we make material changes, we will post the updated version here, update the "Last Updated" date, and, where appropriate, notify you through the Service or by email. Your continued use of the Service after an update constitutes acceptance of the revised Policy.

    12. Contact

    Questions, requests, or concerns about this Privacy Policy can be sent to contact@gleam.com.

    Gleam
    How It WorksContactPrivacy PolicyTerms of ServiceChange Log

    © 2025 Gleam. All rights reserved.