Privacy Policy

Last updated: 19 May 2026

This privacy policy explains how Glovelly handles personal information when you use:

the production service at https://glovelly.net
the documentation site at https://docs.glovelly.net

Glovelly is a small business administration tool, currently focused on self-employed music work. It is used to manage clients, gigs, expenses, receipts, invoices, seller profile details, invoice delivery, Google Drive invoice publishing, access administration, and related operational records.

Glovelly is intended for business administration. It is not intended for children or consumer social use.

Who Is Responsible For Your Information

The data controller is:

Glovelly
c/o Glovelly Privacy Team
privacy@glovelly.net

Please use the privacy contact email above for any questions about this policy or about how Glovelly handles personal information.

Information Glovelly Collects

Glovelly may collect and store the following categories of information.

Account and Access Information

Name, email address, and Google account subject identifier used for sign-in.
User role, approval status, account status, and access administration records.
Access request details, including request timestamps and administrator handling notes where applicable.
Authentication session information needed to keep users signed in securely.

Business Records

Client names, contact details, billing details, notes, and related business metadata.
Gig details such as dates, venues, fees, mileage, passenger counts, and status.
Expense details such as descriptions, categories, amounts, tax treatment, reimbursement status, and receipt attachments.
Receipt files or images uploaded by users. These may contain personal information visible on the receipt, such as names, partial payment card details, locations, timestamps, or purchase details.
Invoice details such as invoice numbers, line items, payment status, issue/reissue history, delivery details, PDF files, and Google Drive publication references.
Seller profile details used to generate invoices, such as trading name, address, payment details, invoice defaults, and tax or business identifiers where provided.

Communications and Delivery Data

Email addresses used for access workflows and invoice delivery.
Email delivery metadata returned by the email provider, such as message identifiers and delivery status where available.
Records showing when invoices or access-related emails were generated, sent, retried, delivered, failed, or otherwise processed.

Google Drive Integration Data

If you connect Google Drive, Glovelly requests permission to create and manage files that it creates in your Google Drive. Glovelly uses this permission to publish generated invoice files to Drive when you request it.

When Google Drive integration is enabled, Glovelly may store:

Google OAuth connection information, including protected access and refresh tokens.
Token expiry and reconnection status.
Google Drive file identifiers and file links for uploaded invoice files.
Configured Google Drive folder identifiers or related publishing settings.
Metadata showing when an invoice was published to Drive and by which user.

Google Drive access can be revoked through your Google Account permissions. If access is revoked, expires, or otherwise stops working, Google Drive publishing will stop until the connection is restored.

Technical and Security Data

Glovelly and its service providers may process technical and diagnostic information needed to operate, secure, debug, and maintain the service. This may include:

browser, device, network, request, and diagnostic information
IP address or approximate network metadata
timestamps
authentication, authorisation, and audit-style events
application logs and error information

Glovelly aims to avoid logging sensitive business content unnecessarily, but diagnostic records may sometimes contain limited personal information needed to investigate issues or maintain security.

Documentation Site Data

The documentation site is a static site published through GitHub Pages. GitHub may process limited technical information, such as IP address and request metadata, when serving the site.

Glovelly does not intentionally collect account-level personal information from visitors to the documentation site unless a visitor contacts the controller separately.

How Glovelly Uses Personal Information

Glovelly uses personal information to:

provide authenticated access to the service
manage users, roles, permissions, and access requests
manage clients, gigs, expenses, receipts, invoices, and seller profile settings
generate, issue, reissue, publish, and deliver invoices
publish invoice files to Google Drive where that integration is configured
send transactional emails, such as access request and invoice delivery messages
maintain invoice, accounting, tax, and business administration records
secure the service and detect misuse
maintain, debug, test, and improve the service
comply with legal, accounting, tax, and record-keeping obligations
respond to requests, questions, and rights exercises

Glovelly does not sell personal information.

Lawful Bases For Processing

Depending on the context, Glovelly relies on the following lawful bases under UK GDPR.

Purpose	Likely lawful basis
Providing access to Glovelly and operating core account features	Contract or legitimate interests
Managing clients, gigs, expenses, receipts, invoices, and business records	Contract, legitimate interests, or legal obligation
Creating and retaining invoices and accounting records	Legal obligation and legitimate interests
Sending transactional emails and invoice delivery messages	Contract or legitimate interests
Publishing invoices to Google Drive at the user's request	Contract or legitimate interests
Administering access requests and user permissions	Legitimate interests
Security, abuse prevention, diagnostics, and service maintenance	Legitimate interests
Responding to legal requests or regulatory obligations	Legal obligation

Where Glovelly relies on legitimate interests, those interests are the operation, administration, security, and improvement of a small business administration service, balanced against the rights and expectations of the people whose information is processed.

Where a user connects an external service such as Google Drive, Glovelly processes the related connection information in order to provide the requested integration.

Special Category Data

Glovelly is not designed to collect special category data, such as information about health, religion, ethnicity, political opinions, trade union membership, genetic or biometric data, or sexual orientation.

Users should avoid entering special category data into free-text fields, notes, receipt attachments, invoice descriptions, or client records unless there is a clear business need and an appropriate lawful basis has been confirmed.

Who Personal Information Is Shared With

Glovelly may share or make personal information available to service providers that help run the service, including:

hosting and infrastructure providers
database, storage, backup, logging, and monitoring providers
authentication providers, including Google sign-in
Google Drive, where Drive publishing is configured
email delivery providers
GitHub, for source control, GitHub Actions, and GitHub Pages documentation hosting
professional advisers, accountants, tax authorities, regulators, or legal bodies where required

Service providers are expected to process personal information only as needed to provide their services, support Glovelly's operation, or meet their own legal obligations.

Current expected subprocessors include:

Google Cloud Platform, for hosting, infrastructure, managed secrets, and related cloud services
Google, for sign-in and Google Drive integration
Neon, for database hosting
Resend or another configured email delivery provider, for transactional email
GitHub, for source control, GitHub Actions, and documentation hosting

This list may change as Glovelly evolves.

International Transfers

Some service providers may process personal information outside the United Kingdom.

Where this happens, Glovelly relies on appropriate safeguards, which may include UK adequacy regulations, standard contractual clauses, the UK International Data Transfer Agreement or Addendum, or equivalent provider commitments.

How Long Information Is Kept

Glovelly keeps personal information only for as long as needed for the purposes described in this policy.

Typical retention expectations are:

account and access records: for the life of the account, then for a reasonable audit and security period after closure
Google Drive OAuth tokens and connection data: until the integration is disconnected, expires, is revoked, or the account is deleted, unless limited records are needed for audit or security purposes
client, gig, expense, receipt, and invoice records: for as long as needed for business, tax, accounting, and dispute purposes
invoice, expense, receipt, and accounting records: normally at least 6 years after the relevant tax year or accounting period, where required for UK tax or accounting records
access request records: normally up to 12 months after handling, unless needed for security, audit, or dispute purposes
email delivery records: for as long as needed to confirm delivery, investigate delivery issues, or maintain business records
logs and diagnostic records: normally for a limited operational period, such as up to 90 days, unless needed for security investigation, debugging, legal, accounting, or dispute purposes
documentation site technical records: according to the retention practices of GitHub or other hosting providers used to serve the site

Some information may be retained for longer where required by law, tax rules, accounting obligations, security needs, dispute resolution, or backup retention.

Security

Glovelly uses technical and organisational measures intended to protect personal information, including authenticated access, role-based controls, secure cookies, owner visibility checks for user-owned data, managed secrets, provider-backed storage, and encryption or token protection where configured.

Google OAuth tokens used for Drive integration are protected before storage where token persistence is enabled.

No online service can guarantee absolute security. Users should keep their Google account secure, use appropriate access controls, and only upload business records that are appropriate for Glovelly to process.

Your Rights

Depending on the circumstances, individuals may have rights to:

be informed about how their personal information is used
access their personal information
correct inaccurate or incomplete information
request deletion of information
request restriction of processing
object to processing based on legitimate interests
receive certain information in a portable format
withdraw consent, where consent is the lawful basis

Some rights may be limited where Glovelly needs to keep information for legal, accounting, tax, security, audit, or dispute-resolution reasons.

To exercise rights, contact:

privacy@glovelly.net

Complaints

Please contact the controller first if you have questions or concerns about how Glovelly handles personal information.

You can also complain to the UK Information Commissioner's Office:

Information Commissioner's Office
https://ico.org.uk/make-a-complaint/

Cookies And Local Storage

Glovelly uses cookies or similar browser storage where needed for authentication, session management, security, and user preferences.

Glovelly does not currently use advertising cookies.

If analytics, embedded media, advertising cookies, or additional tracking tools are added later, this policy should be updated before those tools are enabled.

The documentation site is static. Any cookies or similar technologies used by GitHub Pages or related hosting infrastructure are controlled by those providers.

Changes To This Policy

This policy may be updated as Glovelly changes. The latest version will be published through Glovelly or its online documentation site.

Material changes may be highlighted in the service or documentation where appropriate.