Last updated: 17 April 2026

1. Who is collecting your data

The data controller for Gleampses is Michelangelo Gubinelli, an individual operating in Italy ("Controller", "we", "us").

Contact: info@gleampses.com

Michelangelo Gubinelli is the sole data controller. There is no joint controller arrangement.

2. What data we collect

We collect the following categories of personal data:

  • Account data: email address, password (hashed), account creation date.
  • Profile data: username, profile picture, bio. Username must be 3–30 characters using lowercase letters, numbers, full stops, or underscores.
  • Location data:geographic coordinates (latitude and longitude) associated with pins you create. This data is collected when you create a pin using your browser's geolocation permission, or when you manually set a location.
  • Pin content:text, links, images, or audio attachments ("artifacts") you attach to pins, including any content within those artifacts.
  • Friendship data: records of friend requests and accepted friendships between users.
  • Diary data:records of pin collections ("diaries") you create or are invited to, and your role within them.
  • Usage metadata: timestamps of account creation and last login, IP address (for security and rate-limiting), and error logs via Sentry.

We do not collect special categories of personal data (Art. 9 GDPR) such as racial or ethnic origin, political opinions, health data, or biometric data.

3. Why we process your data (lawful basis)

We process your data under the following lawful bases as defined in Art. 6 GDPR:

  • Contract performance (Art. 6(1)(b)): Creating your account, authenticating you, allowing you to create and manage pins, artifacts, diaries, and friendships. Without this data, we cannot provide the service.
  • Legitimate interests (Art. 6(1)(f)): Security and integrity of the platform (IP address logging, rate-limiting), fraud prevention, and personalised content (your pins are only shown to authorised users). We have conducted a balancing test confirming these interests are not overridden by your rights.

We do not use your data for automated decision-making or profiling (Art. 22).

4. Who we share your data with

Your personal data is processed by the following sub-processors (Art. 28 GDPR), each bound by appropriate data processing terms:

  • Supabase, Inc. — Authenticated user accounts, relational database (PostgreSQL), file storage for avatars. Privacy policy: supabase.com/privacy
  • Cloudflare, Inc. — Object storage (R2) for pin artifact files (images and audio). Privacy policy: cloudflare.com/privacy-policy
  • Sentry, Inc. — Error monitoring and crash reporting (only in production). Privacy policy: sentry.io/legal/privacy

We do not sell, trade, or transfer your personal data to any other third party.

5. International transfers

We store all data in EU-based regions where technically feasible.

6. How long we keep your data

  • Account data and profile: Retained until you delete your account or until 30 days after you request deletion.
  • Pins, artifacts, friendships, diaries: Deleted automatically when your account is deleted (via CASCADE in the database). R2 artifact files are deleted from storage within 30 days of account deletion.
  • Error logs (Sentry): Retained for 90 days in production, then automatically deleted.

After account deletion, residual data is deleted within 30 days unless a legal obligation requires further retention (Art. 17(3)(b) GDPR).

7. Your rights under GDPR

You have the following rights regarding your personal data. To exercise any of these rights, contact us at info@gleampses.com. We will respond within 30 days.

  • Right of access (Art. 15): Request a copy of all personal data we hold about you. Use the account export feature in your account settings or email us.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data. You can update your profile directly in the app.
  • Right to erasure (Art. 17): Request deletion of your account and all associated data. Use the account deletion feature in your account settings or email us.
  • Right to restriction (Art. 18): Request that we restrict processing of your data while a dispute about accuracy or lawfulness is resolved.
  • Right to data portability (Art. 20): Receive your data in a machine-readable format (JSON). Use the account export feature in your account settings.
  • Right to object (Art. 21): Object to processing based on legitimate interests. Contact us with your objection.
  • Right to withdraw consent:You can withdraw cookie consent at any time by adjusting your preferences via the cookie settings link in the footer or by clearing the "gleampses_cookie_consent" cookie.

Right to lodge a complaint (Art. 77):You have the right to file a complaint with the Italian data protection authority ("Garante per la protezione dei dati personali") if you believe we have violated your data protection rights. Website: garanteprivacy.it

8. How we protect your data

We implement appropriate technical and organisational security measures as required by Art. 32 GDPR, including: encrypted data in transit (TLS), authentication via Supabase Auth, Row Level Security policies enforced at the database level, rate-limiting on sensitive API routes, and access controls on cloud storage buckets. Passwords are hashed using bcrypt via Supabase Auth and are never stored in plaintext.

9. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Garante within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR. Where the risk is high, we will also notify affected users directly without undue delay.

10. Cookies

Gleampses uses essential cookies required for authentication and security, and analytics cookies only after your consent. For full details, see our Cookie Policy.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the date of the most recent version. If we make material changes, we will notify you via the email address associated with your account or by placing a notice in the application.