Glitrix is operated by Glitches in Matrix Limited, a company registered in England and Wales. We act as the data controller for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For questions about this policy or to exercise your privacy rights, contact us at [email protected].
Registered address: [INSERT REGISTERED OFFICE ADDRESS]
Under UK GDPR Articles 13 and 14, we inform you that we collect the following categories of personal data:
Provided by you
Collected automatically
We process your personal data on the following legal bases under UK GDPR Article 6:
| Legal Basis | Data Processed | Purpose |
|---|---|---|
| Contract performance (Art. 6(1)(b)) | Financial records, account data, authentication data | Delivering the Glitrix service — AI extraction, audit trail, reporting, and export |
| Legitimate interest (Art. 6(1)(f)) | Usage data, error data, session recordings | Error monitoring, security, service stability, and product improvement. A Legitimate Interests Assessment (LIA) has been completed and is available on request. |
| Consent (Art. 6(1)(a)) | Email address | Optional: marketing communications and product update emails. You may withdraw your consent at any time — see Section 6. |
We share data with the following categories of sub-processors, each bound by a Data Processing Agreement (DPA) under UK GDPR Article 28, with appropriate safeguards for international transfers:
| Processor Category | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Cloud database provider | Database hosting, authentication, and file storage | United States | UK IDTA; SOC 2 Type II |
| AI extraction provider | Text and image extraction from uploaded financial documents, processed server-side via our Edge Function. Data is not retained by the provider for model training under our DPA. | United States | UK IDTA; SOC 2 Type II |
| Error monitoring provider | Application error tracking and anonymised session recordings. Financial form fields and document images are masked — no financial data is included. | United States | UK IDTA; SOC 2 Type II |
| Hosting and CDN provider | Application hosting and content delivery | United States / Global CDN | UK IDTA; SOC 2 Type II |
All international transfers are made pursuant to International Data Transfer Agreements (IDTAs) approved by the UK Information Commissioner's Office, or equivalent safeguards under UK GDPR Chapter V.
We apply the UK GDPR storage limitation principle and do not retain personal data for longer than necessary:
| Data Category | Retention Period | Reason |
|---|---|---|
| Financial records | Duration of active account, plus 7 years. If your account is inactive for 24 or more consecutive months, the 7-year retention period begins from the date of last activity. | HMRC requirement under the Taxes Management Act 1970, s.12B |
| Account data | Until account deletion, or 24 months after your last login if your account is inactive, whichever is sooner. | Service delivery; storage limitation principle |
| Error logs | 90 days | Debugging and service stability |
| Session recordings | 30 days | Short-term debugging; automatically purged |
| AI extraction data | Not retained — processed in memory and discarded immediately after results are returned | Data minimisation principle |
If you delete your account, we will erase your personal data within 30 days. Financial records subject to statutory retention obligations will be isolated, flagged, and made inaccessible through the platform for the remainder of the required retention period.
You have the following rights over your personal data. To exercise any of them, email [email protected]. We will respond within one calendar month. In complex cases we may extend this to three months, in which case we will notify you within the first month and explain the reason for the delay.
Withdrawing Consent
Where we rely on your consent (for example, marketing emails), you may withdraw it at any time without affecting the lawfulness of any processing carried out before withdrawal. To withdraw consent:
Withdrawal takes effect within 5 working days.
Complaints
You have the right to lodge a complaint with the UK supervisory authority at any time:
Information Commissioner's Office (ICO) · ico.org.uk/make-a-complaint · 0303 123 1113
We would always prefer the chance to resolve your concern first. Please contact us at [email protected] before raising a formal complaint.
We use only strictly necessary cookies required for the platform to function. We do not use advertising, tracking, or profiling cookies.
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
| Authentication session token | Essential | Session | Keeps you signed in to Glitrix. Required for the platform to function. |
Because we use only strictly necessary cookies, we do not require your consent under the Privacy and Electronic Communications Regulations (PECR).
Some of our processors are based in the United States. Transfers of personal data from the UK to these processors are protected by UK International Data Transfer Agreements (IDTAs) approved by the Information Commissioner's Office (ICO) — the UK's own transfer mechanism under UK GDPR Chapter V.
Each processor also maintains SOC 2 Type II certification, providing additional assurance of their security controls. We do not rely on EU Standard Contractual Clauses as a transfer mechanism, as the UK operates its own separate framework following its departure from the EU.
Glitrix uses AI models to extract and classify information from documents you upload. This processing:
You remain in full control. You can review, edit, or reject any AI-extracted data before it is stored in your account.
Glitrix is designed for business owners, sole traders, and their employees. It is not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it promptly.
We may update this Privacy Policy from time to time to reflect changes in the law, our services, or our data practices.
For material changes — those that significantly affect your rights or how we use your data — we will notify you by email at least 14 days before the change takes effect. For minor updates (such as clarifications), we will update the version number and date at the top of this policy.
Continued use of Glitrix after a material change takes effect constitutes acceptance of the updated policy.
For all data protection enquiries, including exercising your rights:
| [email protected] | |
| Company | Glitches in Matrix Limited |
| Registered address | [INSERT REGISTERED OFFICE ADDRESS] |
| ICO Registration | ZA[XXXXXX] — insert before publishing |
| Supervisory Authority | Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF · ico.org.uk |
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | Feb 2026 | Initial draft (internal review version) |
| 1.1 | Feb 2026 | Added: UK GDPR label throughout; right to restrict processing (Art. 18); consent withdrawal instructions; session recording disclosure with masking detail; automated decision-making clause; inactivity cap on retention; one-calendar-month response period; ICO complaint details; children's statement; policy change notification; AI/automated processing section. |