Privacy policy
Privacy Policy
- Version:
- 2026.04
- Effective from:
- April 01, 2026
This Policy describes how Glivo processes personal data in the context of the platform, in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and the national implementing laws of the EU/EEA Member States in which the platform is offered. It forms an integral part of the Terms of Use and must be read together with them.
1. Who we are
The Glivo platform is developed and operated by Glivo LLC, a limited liability company incorporated under the laws of the State of Wyoming, United States of America, with its registered office at [full address to be completed].
Because Glivo offers the Services to data subjects located in the European Union, Glivo LLC has appointed an EU representative under Article 27 GDPR, as set out below.
| Contact | Information |
|---|---|
| Data Protection Officer (DPO) | [to be defined] — hello@glivo.ai |
| EU Representative (Art. 27 GDPR) | [to be defined] |
| Channel for data subjects | hello@glivo.ai |
| Lead Supervisory Authority | to be designated based on the location of the EU establishment / representative |
2. Who this Policy applies to
This Policy applies to the following data subjects:
- End customers — individuals served by sellers in an environment with active recording.
- Sellers — professionals who use the mobile app to record commercial interactions.
- Managers and administrators — employees of franchisors or franchisees who use the web dashboard.
- Visitors — individuals who access Glivo’s institutional websites.
3. Roles in processing (GDPR)
As a general rule:
- Controller: the franchisor or franchisee that contracts Glivo. It determines the purposes and essential means of processing the data of its customers and sellers.
- Processor: Glivo LLC, which processes the data on behalf of the controller, in accordance with the contract entered into and the instructions received (Art. 28 GDPR).
For the registration data of managers and administrators directly collected by Glivo (e.g., name, login email), Glivo acts as controller.
4. What data we process
4.1 End customers (commercial interactions)
- Audio of the commercial interaction (voice and speech).
- Textual transcription of the interaction, with automatic anonymization of PII before being made available internally.
- Any personal data mentioned in the conversation (name, national identification numbers, phone, email, address) — automatically detected and masked in the anonymized version.
4.2 Sellers
- Registration data (name, email, phone, role, assigned unit).
- Voice and speech captured during interactions.
- Results of automated analyses (scores, indicators, AI comments).
- App usage data (technical logs, sessions, devices).
4.3 Managers and administrators
- Registration data (name, email, role, organization).
- Authentication data (hashed password, session tokens).
- Web dashboard usage data (logs, audit trail).
4.4 Data we do NOT collect intentionally
Glivo does not request or encourage the collection of special categories of data (Art. 9 GDPR: health, religion, political opinions, sexual orientation, biometric data for identification, genetic data) or data of minors. If such data should incidentally appear in recordings, automatic anonymization seeks to mask them, and controllers are instructed to avoid such collection.
5. Why we process the data (purposes and legal bases)
| Purpose | Legal basis (GDPR) |
|---|---|
| Coaching and professional development of sellers | Legitimate interest (Art. 6(1)(f)) |
| Training and continuous improvement of teams | Legitimate interest (Art. 6(1)(f)) |
| Quality analysis of customer interactions | Legitimate interest (Art. 6(1)(f)) |
| Complaint handling and internal audit | Legitimate interest / compliance with legal obligation |
| User registration and authentication | Performance of contract (Art. 6(1)(b)) |
| Compliance with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
| Defense in judicial or administrative proceedings | Legitimate interest / exercise of legal claims |
| Communication with data subjects and support | Performance of contract / legitimate interest |
Legitimate interest assessment: when relying on legitimate interest (Art. 6(1)(f) GDPR), the controller must perform and document a balancing test (Legitimate Interest Assessment, LIA) demonstrating that its interests are not overridden by the fundamental rights and freedoms of the data subject. Glivo provides a template upon request.
The data is not used for: targeted advertising, commercial profiling outside the coaching context, training of AI models external to the platform, sale, or sharing with third parties for unauthorized purposes.
6. Automated decision-making (Art. 22 GDPR)
The analysis performed by Glivo’s AI generates scores, indicators and comments on sellers’ performance. These outputs are probabilistic, advisory and ancillary in nature — they do not constitute automated decisions that produce legal effects or similarly significantly affect data subjects under Art. 22 GDPR, insofar as any decision affecting sellers requires qualified human review, as contractually required of the controller.
Notwithstanding the above, data subjects always retain the right to obtain human intervention, to express their point of view and to contest any decision (Art. 22(3) GDPR).
7. Automatic PII anonymization
Before transcripts are made available to managers, the platform performs automatic detection and masking of:
- Proper names (of natural persons, third-party companies).
- National identification numbers (NIF, NIPC, DNI, NIE, CIF, NIN, etc.).
- Phone numbers and email addresses.
- Postal addresses and locations.
Anonymization combines regular expressions and language models as a redundant layer. Although robust, no absolute guarantee of removal in 100% of cases is provided. We therefore recommend that customers and sellers avoid providing sensitive data during conversations.
8. Where data is processed
Glivo processes personal data in secure data centers, operated by cloud providers that meet international information-security standards (ISO 27001, SOC 2 or equivalents). We apply the following measures across the operation:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Per-organization isolation via Row-Level Security (RLS) at the database layer.
- Role-based access control (owner, admin, manager, seller) with auditing.
8.1 International transfers (Chapter V GDPR)
Glivo LLC is established in the United States, and the operation of the platform involves transfers of personal data outside the European Economic Area (EEA). In particular, the following operationally essential services may involve sub-processors located in third countries:
- Cloud hosting (primary database provider, audio storage).
- Large language models (LLM) used for transcript analysis.
- Audio transcription (where carried out by a specialized provider).
- Transactional email, monitoring and security services.
To ensure a level of protection essentially equivalent to the GDPR, Glivo adopts one or more of the following safeguards under Articles 44 to 49 GDPR:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914), including the applicable module (controller-processor or processor-processor);
- Adequacy decisions of the European Commission, where applicable (including, with respect to the United States, the EU-U.S. Data Privacy Framework for certified entities, while in force);
- Transfer Impact Assessments (in light of the Schrems II judgment of the CJEU, Case C-311/18) to evaluate the law of the recipient country;
- Supplementary measures, technical (additional encryption, prior anonymization) and organizational, in line with EDPB Recommendations 01/2020, where necessary;
- Contractual commitment by sub-processors not to retain data after processing and not to use it to train their own models.
The up-to-date list of sub-processors and their locations may be requested in writing from the DPO or consulted at https://glivo.ai/subprocessors.
9. How long we keep data
| Category | Standard period | Notes |
|---|---|---|
| Raw audio | 90 days after recording | Configurable by contract. Automatically deleted at end of period. |
| Anonymized transcripts | Per controller policy | Typically 12 to 24 months, for development history. |
| Analysis outputs (scores, indicators) | Per controller policy | Required to track seller’s evolution over time. |
| User accounts | Duration of relationship + statutory periods | Anonymized or deleted upon termination. |
| Audit and security logs | Up to 6 years | Compliance with legal obligations and defense in proceedings. |
| Data after contract termination | Deleted or returned to controller | As agreed. |
Early deletion on request: end customers, sellers and managers may request the deletion of specific recordings or data at any time, subject to mandatory legal retention obligations.
10. Who we share data with
Glivo does not sell personal data. We share only with:
- The controller itself (franchisor / franchisee) — full access to the data of its organization, within the platform.
- Strictly necessary sub-processors for the operation: hosting providers, transactional email, language models for analysis, transcription (with the safeguards described in section 8).
- Competent authorities, subject to a court order or valid legal request.
- Third parties in the event of a corporate transaction (merger, acquisition), with prior notice and continuation of the commitments of this Policy.
The up-to-date list of sub-processors may be requested in writing from the DPO.
11. Data subject rights (GDPR)
You have the following rights regarding your personal data:
| Right | Legal basis | What it means |
|---|---|---|
| Access | Art. 15 GDPR | Confirm whether Glivo processes your data and obtain a copy. |
| Rectification | Art. 16 GDPR | Correct incomplete, inaccurate or out-of-date data. |
| Erasure (“right to be forgotten”) | Art. 17 GDPR | Request the deletion of data in the situations provided by law. |
| Restriction of processing | Art. 18 GDPR | Restrict the processing of your data in certain situations. |
| Data portability | Art. 20 GDPR | Receive your data in a structured, commonly used and machine-readable format and transmit it to another controller. |
| Objection | Art. 21 GDPR | Object to processing based on legitimate interest (Art. 6(1)(f)). |
| Not to be subject to automated decisions | Art. 22 GDPR | Right to human intervention, to express your point of view and to contest decisions. |
| Withdrawal of consent | Art. 7(3) GDPR | Where applicable, withdraw consent previously given. |
| Lodge a complaint with a supervisory authority | Art. 77 GDPR | File a complaint with the supervisory authority of your habitual residence, place of work, or where the alleged infringement occurred. |
How to exercise your rights
For end customers and sellers: the request should be addressed, first, to the franchisee responsible for the unit that collected your data. That is the controller and has the primary duty to respond.
If the controller does not respond within a reasonable period, or where Glivo is the direct controller, write to:
📧 hello@glivo.ai — subject: “GDPR Request”
Glivo will respond within the legal deadline of one month (Art. 12(3) GDPR), extendable by two further months in complex cases, with notice to the data subject.
You also have the right to lodge a complaint with the competent supervisory authority in your EU/EEA Member State (full list at https://edpb.europa.eu/about-edpb/about-edpb/members_en).
12. Information security
We adopt appropriate technical and organizational measures (Art. 32 GDPR), including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Per-organization data isolation (RLS).
- Role-based access control and least-privilege principle.
- Strong-password authentication + tokens with expiration and rotation.
- Audit logs with appropriate retention.
- Regular backups and disaster recovery plan.
- Periodic vulnerability review.
- Team training on security and privacy.
In the event of a personal data breach that poses a risk to data subjects’ rights and freedoms, Glivo will:
- Notify the affected controller without undue delay, in any case within 48 hours of confirmation;
- Cooperate so that the controller may notify the competent supervisory authority within the maximum period of 72 hours (Art. 33 GDPR);
- Assist with communication to affected data subjects, where required under Art. 34 GDPR.
13. Cookies and similar technologies
The web dashboard and institutional websites use cookies strictly necessary for operation (authentication, session, preferences). We do not use advertising cookies or third-party tracking. Additional details are set out in the Cookie Policy.
14. Children and minors
The platform is not intended for individuals under 18. We do not intentionally collect data from children or minors. If we identify inadvertent collection, the data will be deleted immediately. Member-State law may set a lower age threshold for consent in connection with information-society services (Art. 8 GDPR).
15. Changes to this Policy
We may update this Policy to reflect legal, technological or operational changes. Material changes will be communicated with reasonable notice through the usual channels (email, in-platform notice). The most recent version is always available on the platform.
| Version | Date | Summary |
|---|---|---|
| 2026.04 | April 2026 | Initial en-US version, GDPR-adapted. |
16. Applicable law
This Policy is governed by Regulation (EU) 2016/679 (GDPR), the national implementing laws of the relevant EU/EEA Member State, and the guidance of the European Data Protection Board (EDPB).
17. Contact us
For questions, suggestions, complaints or to exercise your rights:
🌐 glivo.ai
Glivo · Sales coaching platform for franchises.
Glivo LLC — Wyoming, USA · EU Representative: [to be defined] (Art. 27 GDPR).
Version: April 2026.