Gloss

Legal

Privacy Policy

Last updated: May 2026

We store the minimum needed to manage your licence and keep Gloss running on your device: email, an opaque machine fingerprint hash, and payment history. Everything you type and expand stays on your computer.

1. Who we are

This Privacy Policy explains how Gloss(“Gloss”, “we”, “us”, “our”) handles personal data when you use Gloss.

We are the “data controller” for the purposes of UK GDPR and the Data Protection Act 2018. If you have any questions, email us at privacy@trygloss.tech.

2. What data we collect

  • Account + licence data. Your email address, your licence key, and a SHA-256 hash of your machine derived from the operating system and platform hardware identifier (IOPlatformUUID on macOS). The raw hardware identifier never leaves your device; only the one-way hash is sent to us so we can bind an activation to the device you activated.
  • Payment data. Processed and stored entirely by Stripe, Inc. We receive a Stripe customer id and transaction metadata (amount, currency, date, country) so we can correlate purchases with licences and issue refunds.
  • Magic-link tokens.When you sign in to the dashboard we email you a single-use, 15-minute-TTL token. Only a SHA-256 hash of the raw token is stored — a database leak can't be replayed as a working sign-in link.
  • Session data.While you're signed in we store a session row with the IP address and user-agent of the browser you signed in from (truncated to 400 characters).
  • Technical logs. Our server keeps rolling access logs for 30 days (IP address, user agent, request path) for security + abuse-prevention. These are auto-deleted after 30 days.

We do not collect: what you type; your glossaries or configuration; analytics about how you use the desktop app; or any third-party tracking cookies. Gloss runs entirely on your Mac — your keystrokes never leave your device.

3. Why we use it

Our lawful bases under UK GDPR Article 6:

  • Contract — to deliver the software you purchased, issue + validate your licence, and operate the update channel.
  • Legitimate interests — to prevent licence abuse (fraud, key-sharing beyond the 1-device policy) and to keep our servers secure.
  • Legal obligation — to keep invoices + VAT records as required by HMRC (6 years from the end of the accounting period).

4. Who we share it with

  • Stripe (US-based, UK-GDPR-compliant) — payments processor. See stripe.com/privacy.
  • Resend (US-based) — transactional email provider for magic links + receipts. See resend.com/legal/privacy-policy.
  • DigitalOcean (EU/US) — hosting infrastructure.
  • Keygen — licensing backend, self-hosted on our own DigitalOcean server. No third-party Keygen cloud involvement.

We do not sell your data. We do not share it with advertisers. We only disclose it to the processors above for the contractual purposes described, under written data-processing terms.

5. International transfers

Some processors (Stripe, Resend) are US-based. Transfers rely on the UK Addendum to the EU Standard Contractual Clauses plus the UK extension to the EU–US Data Privacy Framework where applicable.

6. How long we keep it

  • Licence + machine data: for the life of the licence + 2 years.
  • Invoices: 6 years (UK HMRC requirement).
  • Access logs: 30 days.
  • Consumed magic-link token records: up to 30 days (hash only).
  • Unused magic-link tokens: 15 minutes (they expire automatically).
  • Customer session records: for the life of the session (sliding 30-day window) + up to 90 days after revocation as an audit trail.
  • Admin session records: 8-hour sliding window on use.

7. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased where we no longer need it (subject to HMRC record-keeping on invoices).
  • Restrict or object to certain processing.
  • Port your data to another controller.
  • Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

For erasure requests or anything else, email privacy@trygloss.techand we'll respond within one month.

8. Cookies

We use a small set of first-party cookies; none are for advertising or analytics:

  • __Host-gl_customer on app.trygloss.tech: your signed-in customer session. Set only after you complete a magic-link sign-in.
  • __Host-gl_admin on admin.trygloss.tech: the operator session. Admin accounts are staff-only.

9. Security

All traffic is TLS 1.3. Session cookies are HttpOnly, Secure, and use the __Host- prefix which binds them to a single host and path. The admin cookie uses SameSite=Strict and the customer cookie uses SameSite=Lax. Admin passwords are hashed with argon2id and every admin account requires TOTP two-factor auth.

10. Changes

If we materially change how we handle data we'll update this page and email active licence holders. The “Last updated” date at the top reflects the most recent revision.