Gleam ("Gleam", "we" or "us") provides software that helps online businesses (our "Customers") run engaging marketing campaigns that are promoted to customers ("Campaign Users").
In order to ensure confidentiality and lawful processing of its, Visitors, Customers and Campaign Users personal data, Gleam in its capacity of a data controller and of a processor, conducts its activities in strict compliance with the requirements set in the Australia Privacy Act 1988, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of this data (GDPR) and the California Consumer Privacy Act (CCPA).
We may collect the following types of information about you on our Website
We may collect your personal data in a variety of ways, including, but not limited to, when you visit our Site, register on the Site, subscribe to our newsletter, fill out a form, or in connection with other activities, services, features or resources we make available.
Registration and Contact Information: As appropriate and depending on the Services you would like to use, Customers and Visitors may be asked to provide us with full name, username, email, address, credit card, phone number or billing information.
Payment Information: When you purchase the Services, we will also collect transaction information, which may include your credit card information, billing and mailing address, and other payment-related information.
Third Party Platforms. We may collect information when you interact with our advertisements and other content on third-party sites or platforms, such as social networking sites. This may include information such as Facebook Likes, profile information gathered from social networking sites during signup or the fact that you viewed or interacted with our content.
Gleam is a consent based marketing platform, this means that in order for us to process data on behalf of users they must provide it via explicit consent first. This might be as simple as filling out a form or something more complex like connecting Facebook to their Gleam account.
Gleam also does not collect retain or share end user information including IP addresses, unique user identifiers, or personally identifiable information gathered on sites or apps not owned by Gleam, except for the limited purpose of determining conversion rates & detecting fraud, in which case all personally identifiable information remains anonymous until you explicitly consent by entering a campaign.
Gleam does not track or provide any personal information to Companies that run Campaigns until you explicitly provide consent. This means that you do not expose any personal information to either Gleam or Companies until you actively participate in their Campaign (even if you are still logged into Gleam or not).
IP Addresses: IP addresses are collected Anonymously (last octet removed) for reporting and usage purposes. When you consent to a specific campaign your IP address is linked to the associated record and allows campaign owners to filter records that share an IP address. Your IP address is never shared publicly within the app and always remains hidden.
Name, Email & Form Fields: By default each Campaign may collect basic login information from users that includes their full name and email address. By entering campaigns you are accepting that campaign owners will have access to the information you provide.
Some Campaigns may also require additional Custom Fields which include Date of Birth (for Age Verification) and other identifiable fields that the user can choose to fill out.
Social Logins: Gleam also allows Campaign Users to connect social accounts to your profile. Companies that have social logins enabled on their Campaigns will be able to see basic information related to accounts that you connect. This includes but is not limited to your name, email address, social profile URL's and associated profile photos.
Persistent Logins: Gleam is a distributed platform, which means that if a Campaign User has previously logged into our widget they will continue to stay logged in via third party Cookies across other Campaigns owned by other Companies until they specifically log out. This is designed to make it easy for users to enter more than one campaign without having to re-enter their details again.
Device fingerprinting is a process by which a fingerprint of a device is captured when visiting a website.
Gleam uses 3rd party services to gather a number of data points from a Gleam Campaign Users computer, such as operating system version, browser version, screen resolution, plug-ins & language. This unique ID is then transmitted when Gleam Campaign Users consent by providing their details when entering a campaign.
The information collected via Device Fingerprinting is used to identify patterns of fraudulent behaviour by Gleam Campaign Users that violate our Terms of Service. This includes trying to cheat by creating multiple accounts, referring your own devices or accounts into a Campaign or attempting to redeem a Reward that is limited to one per person.
Gleam does not use this information to track or identify users on sites or apps not owned by Gleam or for any other purpose than to detect fraud & protect the integrity of Campaigns, nor do we use the gleam.io or js.gleam.io domains to fingerprint on 3rd party domains.
Gleam may collect and use User's personal information for the following purposes:
Gleam does not own or use any identifiable data provided by Campaign Users for any reason other than to:
To guarantee the legality of any transfer of personal data of EEA or Swiss citizens to sub-processors located outside the EEA or Switzerland, Gleam applies additional terms via our Data Processing Agreement.
Gleam may use third party service providers to help us operate our business or administer activities on our behalf, such as sending out newsletters or collecting Website analytics. We may share your information with these third parties for those limited purposes provided that you have given us your permission.
Gleam engages certain onward subprocessors that may process personal data submitted to Gleam's services. These subprocessors are listed below, and may be updated by Gleam from time to time:
Gleam offers a number of integrations with 3rd party service providers that enable Campaign Owners to send Campaign Users data from Gleam for processing:
These providers include:
Users may find advertising or other content on our Site that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website's own terms and policies.
In certain limited circumstances, we may also have to disclose your personal data to public authorities and other third parties, if the disclosure is in response to lawful requests made by such public authorities, including to conform with national security or law enforcement requirements. Your personal information may also be disclosed to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.
Gleam may also share personal data with third parties to prevent, investigate or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service or any other agreement related to the Services, or as otherwise required by law.
We use appropriate technical and organizational security measures to protect any personal information we process about visitors to our Website against unauthorized access, disclosure, alteration, and destruction. However, please note that no Internet transmission can ever be guaranteed 100% secure, and so we encourage you to take care when disclosing personal information online and to use readily available tools, such as Internet firewalls, secure e-mail and similar technologies to protect yourself online.
Sensitive and private data exchange between the Site and its Users happens over an SSL secured communication channel and is encrypted and protected with digital signatures. All user data is encrypted at rest using industry standard AES-256 encryption.
Gleam uses Stripe to process our credit card payments and no credit card details are stored on our servers. Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
In case of an unauthorized security intrusion that materially affects you or the people on your mailing list Gleam will notify you as soon as possible and will within reasonable time report the action we took in response.
Gleam runs a bug bountry program via HackerOne with cash bounties. If you have found a bug and would like report it ethically, please email email@example.com for an invite.
The servers where Gleam stores all personal data are located in the US. If you are located in a country member of either the EU or the EEA, please be aware that any information provided to us, including personal information, will be transferred from your country of origin to the US. Except in the case of data transfers under the EU-US Privacy Shield and the Swiss-US Privacy Shield, we may ask for your express consent to provide such data to us or allow us to collect such data.
All personal data we process is stored directly, without any subsequent transfers, on US-based servers, which we loan from a third-party datacenter that is certified and adheres to the EU – U.S Privacy Shield Framework.
To additionally guarantee to our Customers and their European Campaign users (data subjects) the legality of our processing services and the international transfers of the personal data, Gleam has undertaken GDPR compliant contractual commitments, binding us, as a data processor, to protect the data privacy and to ensure the most adequate level of data security.
If you are our Customer and your company is either located in the European Economic Area (EEA) or Switzerland, or your company, by using our services, is processing the data of anyone who is in the EEA or Switzerland, then you can request our GDPR compliant Data Processing Agreement by submitting a support ticket from the Support tab inside your account.
Gleam will not retain data longer than is necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations. For Campaign data, Gleam’s Customers have control of the purpose for collecting data, and the duration for which the Personal Data may be kept. When a User’s account is terminated or expired, all Personal Data collected through the platform will be deleted, as required by applicable law.
If a Customer or User account has been suspended for a Terms of Service violation, Gleam will retain the information necessary to continue to enforce this suspension for up to 10 years.
Gleam Website Communication: Our Customers, Site Visitors and Users have a choice about how we use their personal data to get in touch with them and may choose to opt-out at any time by unsubscribing or changing their account settings.
Campaign Users Notifications: We provide an easy mechanism for opt-ing out of any communication from campaigns inside the Post Entry Email. You can simply select the Unsubscribe or "Turn them off" links in the footer.
Campaign Users Social Accounts: We provide a mechanism for every Campaign User to remove any linked social accounts from Gleam via the Edit panel inside our campaign widget.
Your Rights: We provide all Customers, Visitors and Users of our Site with the opportunity to request access, correction, restriction, deletion, data portability or oppose to any personal information that has previously been provided to us in connection with the use of our Website, as required by law. You can send us an email to firstname.lastname@example.org. We may request specific information from you to confirm your identity.
Gleam has a Data Protection Officer who is responsible for matters relating to privacy and data protection. This Data Protection Officer can be reached at the following address:
Attn: Data Protection Officer
33 Wimbledon Avenue
For our users or customers living or doing business in California, Gleam is subject to the California Consumer Privacy Act ("CCPA").
Because the nature of our Site and Services does not appeal to children under the age of 13, Gleam does not knowingly acquire or receive personal data from children under 13. We do not intentionally process any information, including Personal Data, from children or other individuals who are not legally able to use our Site and Services. If we later learn that any user of our Service is under the age of 13 and that we have obtained his/her Personal Data, we will promptly delete it from our database and will take further steps to restrict that individual from future access to our Services, unless we are legally obligated to retain such data.
In some cases, we may choose to buy or sell assets. In these types of transactions, customer information is typically one of the business assets that are transferred. Moreover, if Gleam, or substantially all of its assets were to be acquired, or in the unlikely event that Gleam goes out of business or enters bankruptcy, customer information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquire of Gleam or its assets may continue to use your Personal Information as set forth in this policy.
By using this Site, you signify your acceptance of this policy and terms of service. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.
This document was last updated on Feb 18th, 2020