Privacy Policy

Last updated: March 23, 2026

1. Data Controller

Eliana dos Santos Pereira
Wilhelm-Greil-Straße 14
6020 Innsbruck, Österreich
Email: privacy@glimm.app

2. Overview of Data Processing

The following information provides an overview of what happens to your personal data when you use this website. We take the protection of your data very seriously and process personal data only in accordance with the DSGVO (GDPR).

3. Hosting & Server

This website is hosted by Hostinger International Ltd. The hosting provider collects access data in server log files (IP address, date, time, browser type, operating system, referrer URL). This data is used exclusively to ensure trouble-free operation and is automatically deleted after 14 days. Legal basis: Art. 6(1)(f) DSGVO (GDPR) (legitimate interest in secure operation).

4. Registration & Account

When registering as a therapist, we collect:

  • Email address (stored encrypted, cryptographic hash used for login matching)
  • First and last name (stored encrypted)
  • Password (securely hashed; plaintext is never stored)

Legal basis: Art. 6(1)(b) DSGVO (GDPR) (performance of contract). Optional: Google OAuth — in this case, we receive your name and email address from Google; no passwords.

5. Encryption

Sensitive personal content — specifically light point texts, email addresses, first and last names, and display names — is stored in the database using AES-256 encryption. The encryption key is kept separate from the database. Even in the event of unauthorised database access, this content would not be readable.

Invoice data (name, address, VAT ID) is stored in plaintext in accordance with statutory retention obligations (BAO § 131, UStG § 11) and is deleted after the statutory retention period expires. IP addresses are stored only as a cryptographic hash (the original IP cannot be recovered).

6. Client Data & Session Mode

Clients authenticate via a 6-digit connection code and a 4-digit PIN. An optional display name (first name or nickname) may be provided. Light point texts are stored encrypted.

Session Mode (Privacy by Design): Therapists gain access to light point content exclusively during a session mode. This is initiated by a session request from the therapist and requires the client's express consent. Only after both parties agree does session mode begin:

  • lasts for the agreed session duration (configurable, default 90 minutes),
  • ends automatically after time expires or when the client actively ends it,
  • requires the client's consent — therapists cannot start session mode unilaterally,
  • grants therapists read access to the text, colour, and position of light points — no photos or audio content.

Outside of session mode, therapists have no access to light point content. Legal basis: Art. 6(1)(b) DSGVO (GDPR) (performance of contract).

7. Cookies & Sessions

We use strictly necessary session cookies only. No tracking cookies, analytics tools, or advertising cookies are used. No Google Analytics, no Facebook Pixel, no comparable services. Legal basis: Art. 6(1)(f) DSGVO (GDPR).

8. Payment Processing

Payment processing is handled by Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA). Stripe processes payment data (card number, expiry date, CVC) as an independent data controller. We do not store any credit card data. Legal basis: Art. 6(1)(b) DSGVO (GDPR). Stripe's privacy policy: https://stripe.com/de/privacy.

9. Cloudflare

We use Cloudflare (101 Townsend St, San Francisco, CA 94107, USA) as a CDN, for DDoS protection, and as object storage (Cloudflare R2) for uploaded media (photos, voice messages). Cloudflare may process connection data (IP address, browser) in this context. Legal basis: Art. 6(1)(f) DSGVO (GDPR). Privacy policy: cloudflare.com/privacypolicy.

9a. Cloudflare Turnstile (Bot Protection)

To protect our forms from automated attacks, we use Cloudflare Turnstile. Technical data is transmitted to Cloudflare to verify whether the request originates from a human. No cookies are set and no fingerprinting is performed. Legal basis: Art. 6(1)(f) DSGVO (GDPR) (legitimate interest in protection against abuse).

9b. Amazon Web Services SES (Email Delivery)

For sending transactional emails, we use Amazon Simple Email Service (SES) provided by Amazon Web Services EMEA SARL (38 Avenue John F. Kennedy, L-1855 Luxembourg). AWS SES processes email addresses and email content as a data processor. Processing takes place in the EU region (eu-north-1, Stockholm). Legal basis: Art. 6(1)(b) DSGVO (GDPR) (performance of contract). Privacy policy: aws.amazon.com/privacy.

9c. Google OAuth (Optional Login)

Optionally, you may register and log in using your Google account. In doing so, we receive your name and email address from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). We receive no access to your Google password, contacts, or other Google data. Data transfers to the USA are based on the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(a) DSGVO (GDPR) (consent). Privacy policy: policies.google.com/privacy.

9d. Therapist Directory (Public Profile)

Registered therapists can voluntarily activate a public profile on Glimm. This profile is publicly accessible at an individual URL (e.g. glimm.life/t/your-name) and is indexed by search engines.

Published data:

  • Name and academic title
  • Practice name (if provided)
  • City / Region
  • Specializations and therapy methods
  • Short biography (if provided)
  • Website URL (if provided)

Legal basis: Art. 6(1)(a) GDPR (explicit consent). Consent is obtained when activating the profile through a separate consent dialog and is recorded with a timestamp, IP hash, and user agent.

Purpose: Search engine indexing so that people can find and contact therapists who use Glimm.

Withdrawal: Consent can be withdrawn at any time in the account settings. The profile will then be immediately removed from the web. The consent record is retained for documentation purposes.

Deletion: Upon account deletion (GDPR Art. 17), all profile data is permanently deleted.

10. Data Transfers to Third Countries

Stripe, Cloudflare, and Google are based in the USA. Data transfers to the USA are based on the EU-US Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023, Art. 45 DSGVO (GDPR)). Stripe, Cloudflare, and Google are certified under the EU-US DPF. AWS SES operates in the EU region (Stockholm, eu-north-1). Additionally, Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) DSGVO (GDPR) are in place as a supplementary safeguard.

11. Data Processing Agreement (Auftragsverarbeitung)

Glimm processes personal data on behalf of registered therapists (data processing pursuant to Art. 28 DSGVO (GDPR)). Therapists are the data controllers for the data entered by their clients. A Data Processing Agreement (AVV/DPA) can be viewed and downloaded at glimm.app/avv.

11a. Biometric Login (WebAuthn)

Glimm optionally offers the ability to log in via fingerprint or facial recognition (WebAuthn/FIDO2 standard). The following applies:

  • No biometric data on our servers: Your fingerprint or face never leaves your device. Biometric verification takes place exclusively on your local device.
  • What we store: A cryptographic public key and a credential ID. This data contains no biometric information whatsoever.
  • Legal basis: Art. 6(1)(a) DSGVO (GDPR) (consent). Voluntary, revocable at any time.
  • Deletion: Upon account deletion, all stored WebAuthn credentials are automatically deleted.

12. Your Rights (DSGVO / GDPR)

  • Art. 15: Right of access — You have the right to obtain information about your stored data.
  • Art. 16: Right to rectification — You may request the correction of inaccurate data.
  • Art. 17: Right to erasure — You may request the deletion of your data (account deletion function available in settings).
  • Art. 18: Right to restriction of processing.
  • Art. 20: Right to data portability — Data export as JSON is available in the settings.
  • Art. 21: Right to object to processing.

13. Storage Duration

Personal data is deleted as soon as the purpose of storage no longer applies. Upon account deletion, a 30-day grace period applies (allowing for reactivation), after which all data is irrevocably deleted. Billing data is retained for 7 years in accordance with statutory retention obligations (§ 132 BAO).

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40-42, 1030 Wien
www.dsb.gv.at

Privacy inquiries: privacy@glimm.app