Glitrix is operated by Glitches in Matrix Limited, a company registered in Hong Kong. We act as the data user for your personal data under the Personal Data (Privacy) Ordinance (PDPO, Cap. 486).
For questions about this policy or to exercise your privacy rights, contact us at [email protected].
Registered address: [INSERT REGISTERED OFFICE ADDRESS]
Under the PDPO transparency and fairness principles, we inform you that we collect the following categories of personal data:
Provided by you
Collected automatically
We process personal data for lawful and directly related business purposes under the PDPO:
| Processing Basis | Data Processed | Purpose |
|---|---|---|
| Service delivery | Financial records, account data, authentication data | Delivering the Glitrix service — AI extraction, audit trail, reporting, and export |
| Operational necessity | Usage data, error data, session recordings | Error monitoring, security, service stability, and product improvement. |
| Consent | Email address | Optional: marketing communications and product update emails. You may withdraw your consent at any time — see Section 6. |
We share data with the following categories of sub-processors, each bound by a Data Processing Agreement (DPA), with appropriate safeguards for international transfers:
| Processor Category | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Cloud database provider | Database hosting, authentication, and file storage | United States | SCCs; SOC 2 Type II |
| AI extraction provider | Text and image extraction from uploaded financial documents, processed server-side via our Edge Function. Data is not retained by the provider for model training under our DPA. | United States | SCCs; SOC 2 Type II |
| Error monitoring provider | Application error tracking and anonymised session recordings. Financial form fields and document images are masked — no financial data is included. | United States | SCCs; SOC 2 Type II |
| Hosting and CDN provider | Application hosting and content delivery | United States / Global CDN | SCCs; SOC 2 Type II |
All international transfers are supported by contractual safeguards, including Standard Contractual Clauses (SCCs), and organisational and technical protections appropriate to the transfer risk.
We apply the PDPO data retention principle and do not retain personal data for longer than necessary:
| Data Category | Retention Period | Reason |
|---|---|---|
| Financial records | Duration of active account, plus 7 years. If your account is inactive for 24 or more consecutive months, the 7-year retention period begins from the date of last activity. | IRD-aligned record retention and compliance requirements in Hong Kong |
| Account data | Until account deletion, or 24 months after your last login if your account is inactive, whichever is sooner. | Service delivery; storage limitation principle |
| Error logs | 90 days | Debugging and service stability |
| Session recordings | 30 days | Short-term debugging; automatically purged |
| AI extraction data | Not retained — processed in memory and discarded immediately after results are returned | Data minimisation principle |
If you delete your account, we will erase your personal data within 30 days. Financial records subject to statutory retention obligations will be isolated, flagged, and made inaccessible through the platform for the remainder of the required retention period.
You have rights over your personal data under the PDPO, including rights to request access and correction. To exercise your rights, email [email protected]. We will respond within the time required by applicable Hong Kong law.
Withdrawing Consent
Where we rely on your consent (for example, marketing emails), you may withdraw it at any time without affecting the lawfulness of any processing carried out before withdrawal. To withdraw consent:
Withdrawal takes effect within 5 working days.
Complaints
You have the right to lodge a complaint with the Hong Kong supervisory authority at any time:
Privacy Commissioner for Personal Data, Hong Kong (PCPD) · pcpd.org.hk/english/complaints
We would always prefer the chance to resolve your concern first. Please contact us at [email protected] before raising a formal complaint.
We use only strictly necessary cookies required for the platform to function. We do not use advertising, tracking, or profiling cookies.
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
| Authentication session token | Essential | Session | Keeps you signed in to Glitrix. Required for the platform to function. |
Because we use only strictly necessary cookies, we do not use the platform for advertising or behavioural profiling cookies.
Some of our processors are based in the United States. Transfers of personal data from Hong Kong to these processors are protected by Standard Contractual Clauses (SCCs) and supplementary technical and organisational safeguards.
Each processor also maintains SOC 2 Type II certification, providing additional assurance of their security controls.
Glitrix uses AI models to extract and classify information from documents you upload. This processing:
You remain in full control. You can review, edit, or reject any AI-extracted data before it is stored in your account.
Glitrix is designed for business owners, sole traders, and their employees. It is not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it promptly.
We may update this Privacy Policy from time to time to reflect changes in the law, our services, or our data practices.
For material changes — those that significantly affect your rights or how we use your data — we will notify you by email at least 14 days before the change takes effect. For minor updates (such as clarifications), we will update the version number and date at the top of this policy.
Continued use of Glitrix after a material change takes effect constitutes acceptance of the updated policy.
For all data protection enquiries, including exercising your rights:
| [email protected] | |
| Company | Glitches in Matrix Limited |
| Registered address | [INSERT REGISTERED OFFICE ADDRESS] |
| Data User Registration | [INSERT HONG KONG REGISTRATION DETAILS] |
| Supervisory Authority | Privacy Commissioner for Personal Data (PCPD), Hong Kong · pcpd.org.hk |
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | Feb 2026 | Initial draft (internal review version) |
| 1.1 | Feb 2026 | Updated for Hong Kong localisation: PDPO references, PCPD complaint details, SCC-based transfer safeguards, and Hong Kong data protection terminology. |