Privacy Policy

What We Collect

• Account information: email address, workspace name
• Usage data: agent registrations, task routing events, handoff logs
• API keys (BYOK): stored encrypted, never logged in plaintext, never shared
• Payment data: processed by Stripe — COMMAND never stores card numbers
• Analytics (optional, consent-gated): session recordings and heatmaps via Microsoft Clarity — only collected after you accept analytics in the consent banner

Legal Bases for Processing (GDPR Art. 6 / LGPD Art. 7)

• Contract performance (Art. 6(1)(b) GDPR / Art. 7(V) LGPD): Account creation, workspace operation, billing, and product delivery
• Legitimate interests (Art. 6(1)(f) GDPR / Art. 7(IX) LGPD): Append-only audit ledger integrity, security monitoring, fraud prevention
• Consent (Art. 6(1)(a) GDPR / Art. 7(I) LGPD): Analytics via Microsoft Clarity (optional — you may decline at any time by clearing your consent in browser storage)
• Legal obligation (Art. 6(1)(c) GDPR / Art. 7(II) LGPD): Compliance with applicable law and regulatory requests

How We Use It

• To operate the COMMAND Agent Operations Center
• To provide the Agent Status Dashboard, Task Router, and Context Bridge features
• To maintain the append-only audit ledger (SHA-256 chain) for your workspace
• To send product updates and billing communications (no marketing spam)
• We do not sell your data. We do not share your data with advertisers.

Data Storage & Retention

• Hosted on Supabase (Postgres) — US East region
• Row-level security (RLS) enforced — your workspace data is isolated
• Account and workspace data retained while your subscription is active, then deleted within 30 days of account closure
• Audit ledger entries are append-only by design and cannot be individually deleted or modified — this is a security integrity guarantee, not a data-retention choice. Upon full account deletion, the ledger is purged with the workspace.
• Database backups retained for 30 days, then automatically purged

Sub-processors

GlobaLink uses the following third-party processors to deliver the Service. Each operates under its own DPA with GlobaLink:

• Supabase — database and authentication (US East)
• Stripe — payment processing (US)
• Vercel — hosting and edge delivery (US / global CDN)
• Microsoft (Clarity) — analytics, session recordings (US) — consent-gated, production only
• Buttondown — transactional and milestone email (US)

We do not use any EU-based sub-processors. All transfers of EU/EEA or Brazilian personal data to US processors are covered by Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms provided by each processor.

Cookies & Tracking

• Essential cookies (always active): Supabase Auth session token — required for you to stay signed in
• Analytics cookies (optional, consent-gated): Microsoft Clarity — session recordings, heatmaps, rage-click detection. Only activated after you click “Accept Analytics” in the consent banner. You can revoke by clearing your browser’s localStorage entry gl_cookie_consent.
• No advertising cookies
• No cross-site tracking

Your Rights (GDPR & LGPD)

Under GDPR (EU/EEA users) and LGPD (Brazilian users) you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and workspace data
• Portability — receive your data in a machine-readable format
• Restriction — limit processing in certain circumstances
• Object — object to processing based on legitimate interests
• Withdraw consent — revoke analytics consent at any time (clear gl_cookie_consent from localStorage)

To exercise any right, contact support@globalinkservices.io. We respond within 30 days. Account deletion removes all workspace data within 30 days. You may also revoke API keys at any time from Settings.

Brazilian users may also lodge a complaint with the ANPD (Autoridade Nacional de Proteção de Dados) at gov.br/anpd. EU/EEA users may lodge a complaint with their local supervisory authority.

Contact & Supervisory Authority

Data controller: GlobaLink LLC, 66 W Flagler St, Miami FL 33130

Email: support@globalinkservices.io

GlobaLink does not currently operate an EU representative or a designated DPO. If your supervisory authority requires a formal DPO appointment, contact us at the address above.