Gleam (“Gleam”, “we” or “us”) provides software that helps online businesses (our “Customers”) run engaging marketing campaigns that are promoted to customers (“Campaign Users”).
In order to ensure confidentiality and lawful processing of its, Visitors, Customers and Campaign Users personal data, Gleam in its capacity of a data controller and of a processor, conducts its activities in strict compliance with the requirements set in the Australia Privacy Act 1988, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of this data (GDPR) and the California Consumer Privacy Act (CCPA).
What Information We Collect and How We Use It
We may collect the following types of information about you on our Website
Customers and Visitors of our Site
We may collect your personal data in a variety of ways, including, but not limited to, when you visit our Site, register on the Site, subscribe to our newsletter, fill out a form, or in connection with other activities, services, features or resources we make available.
Registration and Contact Information: As appropriate and depending on the Services you would like to use, Customers and Visitors may be asked to provide us with full name, username, email, address, credit card, phone number or billing information.
Payment Information: When you purchase the Services, we will also collect transaction information, which may include your credit card information, billing and mailing address, and other payment-related information.
Third Party Platforms. We may collect information when you interact with our advertisements and other content on third-party sites or platforms, such as social networking sites. This may include information such as Facebook Likes, profile information gathered from social networking sites during signup or the fact that you viewed or interacted with our content.
Gleam Campaign Users
Gleam is a consent based marketing platform, this means that in order for us to process data on behalf of users they must provide it via explicit consent first. This might be as simple as filling out a form or something more complex like connecting Facebook to their Gleam account.
Gleam also does not collect retain or share end user information including IP addresses, unique user identifiers, or personally identifiable information gathered on sites or apps not owned by Gleam, except for the limited purpose of determining conversion rates & detecting fraud, in which case all personally identifiable information remains anonymous until you explicitly consent by entering a campaign.
Gleam does not track or provide any personal information to Companies that run Campaigns until you explicitly provide consent. This means that you do not expose any personal information to either Gleam or Companies until you actively participate in their Campaign (even if you are still logged into Gleam or not).
IP Addresses: IP addresses are collected Anonymously (last octet removed) for reporting and usage purposes. When you consent to a specific campaign your IP address is linked to the associated record and allows campaign owners to filter records that share an IP address. Your IP address is never shared publicly within the app and always remains hidden.
Name, Email & Form Fields: By default each Campaign may collect basic login information from users that includes their full name and email address. By entering campaigns you are accepting that campaign owners will have access to the information you provide.
Some Campaigns may also require additional Custom Fields which include Date of Birth (for Age Verification) and other identifiable fields that the user can choose to fill out.
Social Logins: Gleam also allows Campaign Users to connect social accounts to your profile. Companies that have social logins enabled on their Campaigns will be able to see basic information related to accounts that you connect. This includes but is not limited to your name, email address, social profile URL’s and associated profile photos.
Gleam will never use or post to these accounts without your permission and will always require your interaction with the widget to execute any specific actions
Gleam will only ever use information that you have made public or specifically allowed us to access when you accept permissions
Gleam does not know or store any passwords associated with your social accounts
If you wish to remove the link between Gleam and any social network, you can either remove the Gleam Competitions app inside that specific social network or unlink it from the Edit tab inside the Campaign
Persistent Logins: Gleam is a distributed platform, which means that if a Campaign User has previously logged into our widget they will continue to stay logged in via third party Cookies across other Campaigns owned by other Companies until they specifically log out. This is designed to make it easy for users to enter more than one campaign without having to re-enter their details again.
YouTube and Google
For YouTube Actions, Gleam uses YouTube’s API Services to receive data. Users who use these Actions agree to be bound by the YouTube Terms of Service.
Persist Customers sessions that are logged into Gleam
Persist Campaign Users sessions that are logged into campaigns (either on Gleam.io or embedded via iFrames)
Tracking and awarding credit for referring users via our Viral Share Action
Tracking browser behaviours to show Capture campaigns
Tracked users referred by our Referral Program
Device fingerprinting is a process by which a fingerprint of a device is captured when visiting a website.
Gleam uses 3rd party services to gather a number of data points from a Gleam Campaign Users computer, such as operating system version, browser version, screen resolution, plug-ins & language. This unique ID is then transmitted when Gleam Campaign Users consent by providing their details when entering a campaign.
The information collected via Device Fingerprinting is used to identify patterns of fraudulent behaviour by Gleam Campaign Users that violate our Terms of Service. This includes trying to cheat by creating multiple accounts, referring your own devices or accounts into a Campaign or attempting to redeem a Reward that is limited to one per person.
Gleam does not use this information to track or identify users on sites or apps not owned by Gleam or for any other purpose than to detect fraud & protect the integrity of Campaigns, nor do we use the gleam.io or js.gleam.io domains to fingerprint on 3rd party domains.
How We Use Collected Information
Gleam may collect and use User’s personal information for the following purposes:
Gleam Website Users
To administer our Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
To write or display content such as case studies or customer testimonials on our Site;
To improve Gleam to ensure that content is presented in the most effective manner for you and for your Device;
To allow you to participate in interactive features of our service, when you choose to do so;
To send periodic emails: We may use the email address to send User information and updates pertaining to their subscription. It may also be used to respond to their inquiries, questions, and/or other requests.
Gleam Campaign Users
Gleam does not own or use any identifiable data provided by Campaign Users for any reason other than to:
Ensure that your specific request is carried out and assigned to the correct campaign that you provided consent for
Identify and detect fraudulent behaviour or Campaign Users that are violating our Terms of Service
Provide support to Customers regarding specific Campaign User queries
Analyze anonymized statistics or usage to help improve the Gleam platform
Sharing Information With Third Parties
To guarantee the legality of any transfer of personal data of EEA or Swiss citizens to sub-processors located outside the EEA or Switzerland, Gleam applies additional terms via our Data Processing Agreement.
Customers and Visitors of our Site
Gleam may use third party service providers to help us operate our business or administer activities on our behalf, such as sending out newsletters or collecting Website analytics. We may share your information with these third parties for those limited purposes provided that you have given us your permission.
Gleam engages certain onward subprocessors that may process personal data submitted to Gleam’s services. These subprocessors are listed below, and may be updated by Gleam from time to time:
Amazon Web Services – Privacy Shield Certified
Bugsnag – Privacy Shield Certified
Frontapp – Privacy Shield Certified
Google Analytics – Privacy Shield Certified
Intercom – Privacy Shield Certified
Mailgun – Privacy Shield Certified
Stripe – Privacy Shield Certified
Gleam Campaign Owners
Gleam offers a number of integrations with 3rd party service providers that enable Campaign Owners to send Campaign Users data from Gleam for processing:
These providers include:
Active Campaign – Privacy Shield Certified
Amazon Web Services – Privacy Shield Certified
AWeber – Privacy Shield Certified
Benchmark Email – Privacy Shield Certified
Bit.ly – Privacy Shield Certified
Bronto – Privacy Shield Certified
Constant Contact – Privacy Shield Certified
Emma – Privacy Shield Certified
Google Analytics – Privacy Shield Certified
Highrise – Privacy Shield Certified
HubSpot – Privacy Shield Certified
Mad Mimi – Privacy Shield Certified
MailChimp – Privacy Shield Certified
Mailgun – Privacy Shield Certified
Marketo – Privacy Shield Certified
Ontraport – Privacy Shield Certified
Sailthru – Privacy Shield Certified
SalesForce – Privacy Shield Certified
SalesForce Marketing Cloud – Privacy Shield Certified
SendGrid – Privacy Shield Certified
Shopify – Privacy Shield Certified
Silverpop (IBM Cloud) – Privacy Shield Certified
Zapier – Privacy Shield Certified
Zoho – Privacy Shield Certified
Third Party Websites
Users may find advertising or other content on our Site that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.
In certain limited circumstances, we may also have to disclose your personal data to public authorities and other third parties, if the disclosure is in response to lawful requests made by such public authorities, including to conform with national security or law enforcement requirements. Your personal information may also be disclosed to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.
Gleam may also share personal data with third parties to prevent, investigate or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service or any other agreement related to the Services, or as otherwise required by law.
We use appropriate technical and organizational security measures to protect any personal information we process about visitors to our Website against unauthorized access, disclosure, alteration, and destruction. However, please note that no Internet transmission can ever be guaranteed 100% secure, and so we encourage you to take care when disclosing personal information online and to use readily available tools, such as Internet firewalls, secure e-mail and similar technologies to protect yourself online.
Sensitive and private data exchange between the Site and its Users happens over an SSL secured communication channel and is encrypted and protected with digital signatures. All user data is encrypted at rest using industry standard AES-256 encryption.
Gleam uses Stripe to process our credit card payments and no credit card details are stored on our servers. Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
In case of an unauthorized security intrusion that materially affects you or the people on your mailing list Gleam will notify you as soon as possible and will within reasonable time report the action we took in response.
Reporting Seucrity Issues
Gleam runs a bug bountry program via HackerOne with cash bounties. If you have found a bug and would like report it ethically, please email [email protected] for an invite.
EU and EEA residents
The servers where Gleam stores all personal data are located in the US. If you are located in a country member of either the EU or the EEA, please be aware that any information provided to us, including personal information, will be transferred from your country of origin to the US. Except in the case of data transfers under the EU-US Privacy Shield and the Swiss-US Privacy Shield, we may ask for your express consent to provide such data to us or allow us to collect such data.
International Transfer of Personal Data
All personal data we process is stored directly, without any subsequent transfers, on US-based servers, which we loan from a third-party datacenter that is certified and adheres to the EU – U.S Privacy Shield Framework.
To additionally guarantee to our Customers and their European Campaign users (data subjects) the legality of our processing services and the international transfers of the personal data, Gleam has undertaken GDPR compliant contractual commitments, binding us, as a data processor, to protect the data privacy and to ensure the most adequate level of data security.
Data Processing Agreement
If you are our Customer and your company is either located in the European Economic Area (EEA) or Switzerland, or your company, by using our services, is processing the data of anyone who is in the EEA or Switzerland, then you can request our GDPR compliant Data Processing Agreement by submitting a support ticket from the Support tab inside your account.
Data Retention Periods
Gleam will not retain data longer than is necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations. For Campaign data, Gleam’s Customers have control of the purpose for collecting data, and the duration for which the Personal Data may be kept. When a User’s account is terminated or expired, all Personal Data collected through the platform will be deleted, as required by applicable law.
If a Customer or User account has been suspended for a Terms of Service violation, Gleam will retain the information necessary to continue to enforce this suspension for up to 10 years.
Privacy Controls & Choices
Gleam Website Communication: Our Customers, Site Visitors and Users have a choice about how we use their personal data to get in touch with them and may choose to opt-out at any time by unsubscribing or changing their account settings.
Campaign Users Notifications: We provide an easy mechanism for opt-ing out of any communication from campaigns inside the Post Entry Email. You can simply select the Unsubscribe or “Turn them off” links in the footer.
Campaign Users Social Accounts: We provide a mechanism for every Campaign User to remove any linked social accounts from Gleam via the Edit panel inside our campaign widget.
Your Rights: We provide all Customers, Visitors and Users of our Site with the opportunity to request access, correction, restriction, deletion, data portability or oppose to any personal information that has previously been provided to us in connection with the use of our Website, as required by law. You can send us an email to [email protected]. We may request specific information from you to confirm your identity.
Gleam’s Data Protection Officer
Gleam has a Data Protection Officer who is responsible for matters relating to privacy and data protection. This Data Protection Officer can be reached at the following address:
Attn: Data Protection Officer
33 Wimbledon Avenue
California Consumer Privacy Act
For our users or customers living or doing business in California, Gleam is subject to the California Consumer Privacy Act (“CCPA”).
Gleam Does Not Sell Your Personal Information. You can read more about this in our Sharing Information With Third Parties section.
Accuracy and Access To Your Personal Information. If you believe that Personal Information Gleam holds about you is inaccurate, you may modify or correct your Personal Information the Edit tab for Gleam Campaign Users, the User Settings tab for Gleam Customers or by contacting us at: [email protected]. We may request specific information from you to confirm your identity.
Deleting Your Personal Information. You can learn about this in our Privacy Controls & Choices section.
Compliance With Children’s Online Privacy Protection Act
Because the nature of our Site and Services does not appeal to children under the age of 13, Gleam does not knowingly acquire or receive personal data from children under 13. We do not intentionally process any information, including Personal Data, from children or other individuals who are not legally able to use our Site and Services. If we later learn that any user of our Service is under the age of 13 and that we have obtained his/her Personal Data, we will promptly delete it from our database and will take further steps to restrict that individual from future access to our Services, unless we are legally obligated to retain such data.
In some cases, we may choose to buy or sell assets. In these types of transactions, customer information is typically one of the business assets that are transferred. Moreover, if Gleam, or substantially all of its assets were to be acquired, or in the unlikely event that Gleam goes out of business or enters bankruptcy, customer information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquire of Gleam or its assets may continue to use your Personal Information as set forth in this policy.
Your Acceptance Of These Terms
By using this Site, you signify your acceptance of this policy and terms of service. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.
This document was last updated on Feb 18th, 2020