Privacy Policy

Effective 1 March 2026

This Privacy Policy explains how Glassbreak ("we", "us", "our") collects, uses, stores, and protects personal information when you use our platform, website, and related services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.

1. Overview

Glassbreak is a platform for break-glass emergency access to critical secrets and crisis communications. Secrets are encrypted on your device before transmission to our infrastructure. Glassbreak does not have the ability to decrypt your secrets. Your privacy is foundational to how we design, build, and operate the Service.

2. Information We Collect

We collect the minimum data required to create and maintain your account, ensure security, and provide the Service:

  • Account information — name and email address provided during registration
  • Authentication data — password hash (Argon2id), MFA credentials (TOTP secrets, WebAuthn public keys, recovery code hashes), and refresh tokens
  • Security metadata — IP addresses, user agent strings, device identifiers, and login timestamps, recorded in audit logs for fraud detection and compliance
  • Organisation and team data — organisation name, team names, membership roles, and subscription details
  • Encrypted content — secrets, contact records, and messages stored in encrypted form that we cannot decrypt
  • Usage metrics — anonymous, aggregate site usage via Plausible Analytics (no personally identifiable information)
  • Payment information — processed and stored by Stripe (see section 7)

3. How We Use Your Information

We use your information to:

  • Create and manage user accounts, organisations, and teams
  • Authenticate users and manage session security (JWT tokens, refresh token rotation)
  • Enforce access controls and role-based permissions
  • Process payments and manage subscriptions via Stripe
  • Send service-related communications (e.g. account verification, password resets, security alerts)
  • Maintain audit logs for security monitoring and compliance
  • Detect and prevent fraud, abuse, and unauthorised access
  • Enforce rate limits to protect service availability
  • Comply with legal obligations and enforce our Terms

4. Data Security and Encryption

We employ multiple layers of encryption to protect your data:

  • Secret encryption — secrets are encrypted using AES-256 on your device before transmission. Decryption keys remain exclusively in your control.
  • Key protection — RSA-4096 key pairs are generated per user. Private keys are encrypted and stored as structured data. Post-quantum key encapsulation (Kyber1024) provides forward security against future quantum computing threats.
  • Contact encryption — personal contact information (email, phone, address) is encrypted with a Content Encryption Key (CEK) per team, with blind indexes enabling search without decryption.
  • Message encryption — chat messages are end-to-end encrypted with per-conversation keys wrapped for each participant.
  • Password security — passwords are hashed using Argon2id with high memory cost parameters. We never store or transmit plaintext passwords.
  • Transport security — all data in transit is protected by TLS. All data at rest is encrypted at the infrastructure level.

Glassbreak staff, systems, and infrastructure providers have no access to your decrypted secrets, messages, or encrypted contact data.

5. Cloud Infrastructure and Data Storage

We operate across multiple independent cloud providers to ensure high availability and eliminate single points of failure:

  • AWS — S3 static hosting, Lambda API compute
  • Scaleway — Object Storage, serverless Functions, Managed Database
  • Fastly — Primary CDN for edge caching and request routing
  • Bunny — Secondary CDN for geographic redundancy and failover
  • Neon — Serverless PostgreSQL database
  • Route 53 & DNSimple — Dual-provider authoritative DNS

No single cloud provider failure can take the Service offline. Infrastructure is geographically distributed across providers that share no common dependencies.

6. International Data Transfers

Our infrastructure spans multiple geographic regions, including the European Union (Scaleway), the United States (AWS, Neon, Fastly), and global edge locations (Bunny CDN). Your data may be processed in any of these regions. By using the Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.

Where required, we rely on appropriate safeguards for international transfers, including encryption of data in transit and at rest, and contractual protections with our subprocessors.

7. Payment Processing

We use Stripe to process payments and manage subscriptions. Stripe collects and stores your payment information (card number, billing address) in accordance with their Privacy Policy and is PCI DSS Level 1 certified. Glassbreak stores only your Stripe customer ID and subscription ID — we never receive or store full payment card details.

8. Analytics

We use Plausible Analytics, a privacy-respecting, cookie-free analytics tool hosted in the EU, to monitor aggregate site usage. Plausible does not collect personally identifiable information, does not use cookies, and does not track users across sites. We do not use Google Analytics or similar invasive tracking tools.

9. Email Communications

We send transactional emails for account verification, password resets, and security alerts. We may also send product update communications where you have opted in. You can unsubscribe from non-essential emails at any time via the link in any email. We will never sell or share your email address with third parties for marketing purposes.

10. Cookies and Local Storage

Glassbreak uses essential authentication tokens (JWT) for session management, stored in your browser. We use a theme preference stored in localStorage. No tracking cookies, marketing cookies, or third-party cookies are deployed. Plausible Analytics operates without cookies.

11. Data Retention

  • Encrypted content — retained as long as your team is active. When a team is deleted, all associated encrypted secrets, contacts, and messages are permanently removed.
  • Account data — name, email, and organisation membership are retained for up to 90 days after account closure for legal and audit purposes, then permanently deleted.
  • Audit logs — retained for the period specified by your subscription tier (30 days for Standard, 1 year for Premium), then automatically purged.
  • Payment records — retained as required by applicable tax and accounting regulations (typically 7 years).
  • Rate limit data — automatically expired and purged within 24 hours.

12. Subprocessors

We use the following subprocessors. None have access to your decrypted secrets or encrypted content:

  • AWS (US) — compute, storage, and DNS
  • Scaleway (EU) — compute, storage, and database
  • Fastly (US/Global) — CDN and edge delivery
  • Bunny (EU/Global) — CDN and edge delivery
  • Neon (US) — serverless PostgreSQL database
  • DNSimple (US) — DNS hosting
  • Stripe (US) — payment processing
  • Plausible (EU) — privacy-respecting analytics

We will update this list if subprocessors change. Material changes will be communicated via email or an in-app notification.

13. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your personal data (subject to legal retention requirements)
  • Data portability — request your data in a structured, machine-readable format
  • Restriction — request that we limit processing of your data in certain circumstances
  • Objection — object to processing of your data for specific purposes
  • Withdraw consent — withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@glassbreak.io. We will respond within 30 days. Note that we cannot provide access to your encrypted secrets as we do not hold decryption keys.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, likely consequences, and measures taken or proposed to address it.

15. Children's Privacy

Glassbreak is not directed at children under 16 years of age. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service at least 14 days before taking effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. The "Effective" date at the top of this page indicates when this policy was last revised.

17. Governing Law

This Privacy Policy is governed by the laws of Australia. Any disputes arising from this policy shall be handled under the jurisdiction of the courts of New South Wales, Australia.

18. Contact

For questions, data requests, or complaints:
Privacy inquiries: privacy@glassbreak.io
Complaints: complaints@glassbreak.io

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

By using Glassbreak, you agree to this Privacy Policy.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.