Privacy Policy
Last Updated: 2026-05-08
This Privacy Policy explains how Glass Plate Works LLC
("Glass Plate Works", "we", "us") collects, uses, shares, and
protects personal information in connection with the
Glassplateworks service at glassplateworks.com and its
subdomains (the "Service"). It also describes the rights you have
over your personal information and how to exercise them.
We are a Washington State limited liability company (UBI 606 213
490). Our service is offered to users in the United States and
Canada only; we use IP-based geo-blocking to decline service to
users elsewhere. The img.glassplateworks.com subdomain serves
embedded image responses globally so that images embedded on
third-party sites continue to load for non-US/CA viewers.
If you have questions about this policy, contact us at
privacy@glassplateworks.com. The "person in charge of
personal information" for purposes of Quebec's Law 25 is the
Privacy Officer at the same address.
1. Quick summary
- We collect your email when you sign up, the files you upload, basic technical metadata about your requests, and billing information through Stripe if you subscribe.
- We never sell your personal information. We use a small, named set of sub-processors to run the service (§ 6).
- We use C2PA provenance as a core feature. The cryptographic manifest we sign and store may include some metadata you embed in your uploads, in addition to identifiers we add.
- You can download your data, correct it, and delete your account through self-service controls or by emailing us.
- We retain a hash-only provenance ledger indefinitely — see § 7. Personal information stored alongside it is deleted on account termination.
- We honor Global Privacy Control (GPC) signals as opt-out requests under California law.
2. Scope
This policy applies to:
- The website at
glassplateworks.comand its subdomains. - The REST API at
api.glassplateworks.com. - The MCP server at
mcp.glassplateworks.com. - The image CDN at
img.glassplateworks.com.
It does not apply to third-party services we link to, or to content you upload that you choose to make publicly available. Public content is a publication, not a private communication — once you mark content public, anyone in the world may see it.
3. Information we collect
3.1 Information you provide
- Account information: email address, password (managed by our authentication provider Clerk and stored as a salted hash — we never see the plaintext), display name (optional), profile image (optional).
- Uploaded content: the image, video, audio, or document files you upload, plus any metadata (EXIF, caption, tags, alt text) you provide or that is embedded in the file.
- Payments: card and billing information for paid subscriptions. We do not store card data. Card data is collected and processed by Stripe, Inc.; we receive only a customer ID, last-four digits, brand, and expiry from Stripe for display.
- Communications with us: email replies, support tickets, feedback submissions, DMCA notices and counter-notifications.
3.2 Information collected automatically
- Request metadata: IP address, user-agent string, timestamps, request paths, response status, byte counts, referer (where provided by your browser), MCP client identifier (where applicable).
- Device and connection inferences derived from the above: approximate city/region (from IP), browser family.
- Analytics events: aggregate page-view counts collected via Plausible Analytics. Plausible does not set cookies or collect personal identifiers; reports are aggregate.
- Cookies and similar: see § 12.
3.3 Information we generate from your content
- SHA-256 content hash computed at upload (the canonical identifier we use for content-addressed URLs and deduplication).
- Perceptual hashes (dHash) used for visual deduplication.
- Image embeddings generated by Vertex AI
(
multimodalembedding@001, 1408-dim float vector) for semantic search. These are representations of image content, not identity templates; we do not use them for facial recognition or identity matching. - AI-generated captions, tags, and OCR text (Phase 2 feature).
- Trust-badge classification computed from your uploaded C2PA manifest plus our verification of its signing certificate and revocation status.
- C2PA manifest entries we sign, which include the upload timestamp, our service identifier, and (for content you authored on-platform) a content credential.
3.4 Information we do not collect
- Government-issued ID numbers (SSN, SIN, passport, driver's license) — we have no use for these.
- Health information subject to HIPAA — out of scope.
- Children's information. We do not knowingly collect information from anyone under 13 (United States) or under 13 (Canada). See § 11.
- Biometric identifiers as defined under Illinois BIPA, Texas CUBI, or Washington's biometric law. The image embeddings we generate for semantic search are not used as identity templates and are not derived for the purpose of identifying a specific individual.
4. How we use information
| Purpose | Information used | Notes |
|---|---|---|
| Provide the Service (storage, retrieval, transformation, MCP) | Account, uploads, request metadata | Core functionality |
| Compute and verify provenance | Uploaded content, C2PA manifests, generated badges | Core feature |
| Bill paid subscribers | Stripe customer ID, plan tier | Card data stays at Stripe |
| Detect and prevent abuse | Hashes (PhotoDNA, StopNCII), request logs, account history | Includes CSAM/NCII detection at upload |
| Enforce our AUP and DMCA policy | Account history, strike records, takedown notices | See AUP § 6 and DMCA § 6 |
| Communicate transactional notices | Email, account ID | Account verification, password reset, billing receipts, takedown notifications |
| Send product updates (with consent) | Opt-in; one-click unsubscribe in every message; CASL-compliant for Canadian recipients | |
| Comply with law | Whatever is responsive to a valid legal process | Court orders, subpoenas, NCMEC reports |
| Improve the Service | Aggregate analytics, error logs | We do not train models on your private content |
We do not use the content of your private uploads to train generative models, our own or third-party. AI features that operate on your content (semantic search, captions, tags) run at your request and produce output stored only for your use.
5. Legal bases (Canadian users)
Under PIPEDA, we rely on the following bases for processing personal information of Canadian users:
- Consent, expressed by your creation of an account and use of the Service after being given this policy.
- Implied consent for processing reasonably required to provide a service you have requested (e.g., storing content you uploaded for retrieval).
- Legal requirement, where processing is required by law (e.g., NCMEC reporting under 18 U.S.C. § 2258A applies to the Service even where the uploader is in Canada).
- Legitimate interest, narrowly construed under PIPEDA, for fraud prevention and security (e.g., logging IPs of failed authentication attempts).
For California and other U.S. users, the equivalent "business purposes" listed in CCPA § 1798.140(e) are described in § 9 below.
6. Who we share information with
We share personal information with the following categories of recipients:
6.1 Sub-processors
| Vendor | Purpose | Location of processing | Data shared |
|---|---|---|---|
| Google Cloud Platform | Compute, storage of original files (manifest store), Vertex AI for embeddings and AI features | United States (us-central1) |
All uploaded content, account metadata, embeddings |
| Cloudflare, Inc. | CDN, R2 object storage for served variants, Workers for image transforms, geo-blocking | Global edge, US for storage | Image variants, request metadata |
| Clerk, Inc. | Authentication, password storage | United States | Email, password hash, login event metadata |
| Stripe, Inc. | Payment processing | United States | Name, email, card data (collected and stored by Stripe directly), billing address |
| Microsoft Corporation (PhotoDNA Cloud Service) | CSAM hash matching | United States | Image hashes only — not the image bytes |
| StopNCII.org | NCII hash matching | United Kingdom | Image hashes only |
| National Center for Missing & Exploited Children (NCMEC) | CSAM reporting under 18 U.S.C. § 2258A | United States | Reports as required by statute, including the image, account information, and IP address of the uploader |
| Upstash, Inc. | Redis cache and rate limiting | United States | API key fingerprints, rate-limit counters (no content) |
| DigiCert, Inc. | RFC 3161 trusted timestamps for C2PA manifests | United States | Hashes of manifest entries (no content) |
| Carbon Ads (BuySellAds) | Display advertising on free-tier pages | United States | IP address, user-agent, page URL — not your account email or upload contents |
| Plausible Insights OÜ | Privacy-first web analytics | European Union (Estonia) | Aggregate counts only; no cookies, no IP storage |
| Featurebase | Feedback portal | United States | Email and feedback you submit |
| Instatus | Status page | United States | None about you; service-level signals only |
| [TRANSACTIONAL EMAIL PROVIDER — TBD] | Sending account-verification, billing, takedown emails | United States | Email address, message contents |
We will keep this list current. Material changes will be reflected in an updated "Last Updated" date and described in our changelog.
6.2 Compliance with law and protection of rights
We may disclose personal information when we believe in good faith that disclosure is required by:
- A valid subpoena, court order, or other legal process;
- A law-enforcement request that satisfies applicable legal standards (we require proper process for non-emergency requests);
- A statute that requires disclosure (e.g., the NCMEC reporting obligation under 18 U.S.C. § 2258A);
- The need to protect the rights, property, or safety of Glass Plate Works, our users, or the public.
We will, where lawfully permitted, notify the affected user before disclosure so they can seek protective relief.
6.3 Business transfers
If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred to the successor. We will notify you of any such transfer and any resulting changes to this policy before they take effect for your information.
6.4 With your consent
We may share your information with your consent or at your direction (for example, when you make content public or grant API access to a third-party application).
We do not sell personal information for monetary consideration. Display advertising via Carbon Ads on free-tier pages may, under California's CPRA, constitute "sharing for cross-context behavioral advertising"; we have provided an opt-out as described in § 9.
7. Retention
| Information | Retention period |
|---|---|
| Account record (email, account ID, tier) | While account is active; 90 days after deletion or termination, then anonymized to an opaque ID for strike-history purposes |
| Uploaded content (CDN variants on R2) | Until you delete it, your account is terminated, or it is removed under AUP/DMCA |
| Uploaded content (original bytes in manifest store) | Same as above, plus a hold for legal-preservation periods if applicable |
| Provenance ledger entries (Firestore) | Indefinitely, hash-only — these record that a piece of content existed at a given time and bear our cryptographic timestamp. After deletion of the content, the ledger entry remains as a hash with no associated personal information |
| Request logs | 90 days, then aggregated |
| Authentication logs | 12 months |
| DMCA notices and counter-notifications | 4 years from receipt |
| Strike records (DMCA + AUP) | 12 months from the strike, then deleted unless still required for an active enforcement action |
| Billing records | 7 years (U.S. federal tax retention; Stripe also retains records on their schedule) |
| Backups | 30-day rotation; deletions reach backups within that window |
| Email correspondence | 24 months |
| Marketplace sale records (buyer ID, sale amount, listing ID, watermark payload identifier) | Indefinitely while the company operates, to support buyer-trace forensics if a sold asset is later found being redistributed in violation of its license. The watermark payload identifier is a random per-sale UUID; it is not derived from any personal information and resolves to the buyer only via the sales record |
If a user deletes their account or content, the deletion is applied to live systems within 24 hours and propagates through backups within the rotation window. The provenance ledger and marketplace sale records are the two exceptions described above — they are retained for as long as we operate so that the provenance and trace chains remain verifiable. If a buyer exercises the GDPR right to erasure, the sale row's personally-identifying fields (email, billing address) are purged or replaced with opaque identifiers; the random watermark payload UUID stays so the trace chain is preserved.
8. How we protect information
- TLS 1.2+ for all data in transit.
- AES-256 at rest for object storage (provided by GCP and Cloudflare R2).
- Password storage delegated to Clerk, using salted bcrypt or equivalent.
- API-key authentication uses constant-time comparison; keys are stored as SHA-256 hashes.
- Service-account credentials for Cloud Run workers fetched from Google Cloud's metadata server, never embedded in container images or environment files.
- Logical isolation between user accounts at the database layer.
- Limited access on a need-to-know basis; access is logged.
No system is perfectly secure. If we discover a breach affecting personal information, we will notify affected users and applicable authorities as required by law (including the various U.S. state breach-notification statutes and Canadian PIPEDA breach reporting to the Office of the Privacy Commissioner where the breach creates a real risk of significant harm).
Report suspected vulnerabilities to
security@glassplateworks.com.
9. Your California rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy
Act (as amended by the California Privacy Rights Act) gives you
the rights below. To exercise them, email
privacy@glassplateworks.com from the email address associated
with your account, or use the self-service controls in your
account settings (where available).
We will verify your identity by confirming you control the account email; for sensitive requests we may require additional verification. We will respond within 45 days; we may extend by an additional 45 days with notice.
9.1 Categories of personal information collected (last 12 months)
| Category (Cal. Civ. Code § 1798.140) | Collected? | Examples |
|---|---|---|
| A. Identifiers | Yes | Email, account ID, IP address |
| B. Customer records (Cal. Civ. Code § 1798.80(e)) | Yes (limited) | Billing name and address (held by Stripe) |
| C. Protected classifications | No | We do not collect or infer |
| D. Commercial information | Yes | Subscription plan, payment history (held by Stripe) |
| E. Biometric information | No | Embeddings are not identity templates; see § 3.4 |
| F. Internet/network activity | Yes | Request logs |
| G. Geolocation data | Yes (coarse) | City-level inferred from IP; we do not collect GPS |
| H. Sensory data | Yes (when you upload) | Audio/video files you upload |
| I. Professional/employment information | No | |
| J. Education information | No | |
| K. Inferences | Yes | Embeddings, AI tags, captions |
| L. Sensitive PI (Cal. Civ. Code § 1798.140(ae)) | No |
9.2 Sources
Directly from you (uploads, account creation), from your device (IP, user-agent), and from our authentication provider Clerk (when you sign in via OAuth).
9.3 Business purposes
Service provision, billing, security, fraud prevention, legal compliance, analytics, and product improvement, as detailed in § 4.
9.4 Your rights
- Right to know what personal information we have collected, used, disclosed, and (where applicable) sold or shared.
- Right to delete your personal information, subject to the exceptions in Cal. Civ. Code § 1798.105(d). Deletion of the provenance ledger entries is one such exception (we retain hash-only records as required for the integrity of the provenance system, which serves a legal purpose under our contractual obligations).
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of personal information.
We do not sell personal information. We may "share" personal
information with Carbon Ads for cross-context behavioral
advertising on free-tier pages; you can opt out by clicking
"Do Not Sell or Share My Personal Information" in the site
footer or in your account settings, by sending a Global Privacy
Control signal (which we honor), or by emailing
privacy@glassplateworks.com. - Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined under CPRA, so this right has nothing to apply to in our case.
- Right of non-discrimination. We will not retaliate against you for exercising any of these rights.
9.5 Authorized agents
You may use an authorized agent to make a request. We will require written proof of the agent's authority and may verify the request directly with you.
9.6 Shine the Light
California Civil Code § 1798.83 ("Shine the Light") permits California residents to request information regarding our disclosure of personal information to third parties for direct- marketing purposes. We do not disclose personal information to third parties for their own direct-marketing use.
10. Your Canadian rights (PIPEDA / Quebec Law 25)
If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act and applicable provincial laws give you the rights below. Quebec residents have additional rights under the Act respecting the protection of personal information in the private sector ("Law 25").
10.1 PIPEDA rights
- Access: request a copy of personal information we hold about you.
- Correction: request that we correct inaccurate or incomplete personal information.
- Withdrawal of consent: withdraw consent to processing (subject to legal or contractual restrictions; withdrawal may end your access to the Service).
- Challenge compliance: ask us, our Privacy Officer, or the Office of the Privacy Commissioner of Canada to review our compliance with PIPEDA.
10.2 Quebec Law 25 specifics
- Person in charge of personal information: the Privacy Officer
at
privacy@glassplateworks.com. - Cross-border processing notice: your personal information
is stored and processed in the United States by our
sub-processors, particularly Google Cloud Platform
(
us-central1), Cloudflare, Stripe, and Clerk. The United States does not have a comprehensive federal privacy law equivalent to Quebec Law 25 or PIPEDA; however, our sub- processors are bound by contractual safeguards (SCCs or equivalent) and by their own published privacy commitments. By using the Service after being given this policy you consent to these transfers. - Automated decision-making: we use automated systems to (a)
refuse uploads that match CSAM/NCII hashes, (b) generate
embeddings, captions, and tags, and (c) compute trust badges
from C2PA manifests. These systems do not make decisions about
you (e.g., access to credit, employment, services beyond the
Service itself). Refusal to upload a flagged file is not a
decision about you; it is a decision about a specific file. You
may contact
privacy@glassplateworks.comto ask a human to review any automated outcome you believe is incorrect. - Data portability: you can export your personal information
and your uploaded content via the data-export tool in your
account settings (or by request to
privacy@glassplateworks.com). - Privacy-impact assessment: we will conduct and document a Privacy Impact Assessment for any new sub-processor or material change to processing involving Quebec residents.
10.3 Other provincial laws
If you are a resident of British Columbia, Alberta, or another province with its own private-sector privacy law, you may also have rights under that statute. The PIPEDA rights described above are at minimum equivalent.
11. Children
The Service is not directed to children under 13, and we do
not knowingly collect personal information from children under
13. If you believe we have collected personal information from a
child under 13, contact us at privacy@glassplateworks.com and we
will delete it.
For users between 13 and 18 (or the age of majority in their jurisdiction), use of the Service requires the consent of a parent or guardian. We do not provide a separate child-account flow.
12. Cookies and similar
We use a minimal set of cookies and similar storage mechanisms.
| Category | Cookies set | Purpose | Required? |
|---|---|---|---|
| Strictly necessary | Session identifier, CSRF token | Sign-in, request integrity | Yes (cannot disable) |
| Functional | UI preferences (theme, locale) | Remembering your choices | No (you can disable) |
| Analytics | None | Plausible runs without cookies | n/a |
| Advertising | Set by Carbon Ads on free-tier pages | Frequency capping; opt-out described in § 9 | No |
We honor Do Not Track signals from your browser by treating them as opt-out requests under the CCPA where applicable. We also honor Global Privacy Control signals.
13. International transfers
Your personal information is stored and processed in the United States by the sub-processors listed in § 6. Some sub-processors (such as Plausible, hosted in Estonia) may process small amounts of aggregate analytics data outside the United States. We do not intentionally process personal information of users in the European Union or the United Kingdom; we geo-block those regions on our application domains.
If you are a Canadian user, see § 10.2 for the Quebec-specific notice on cross-border processing.
14. Changes to this policy
We may update this policy from time to time. Material changes
will be announced on glassplateworks.com and by email to
account holders, at least thirty (30) days before they take
effect. Non-material changes (typo fixes, link updates) take
effect on posting and are reflected in an updated "Last Updated"
date.
A history of changes is maintained at
https://glassplateworks.com/legal/privacy/changelog.
15. Contact
| For | |
|---|---|
| Privacy questions and rights requests | privacy@glassplateworks.com |
| DMCA notices | dmca@glassplateworks.com |
| AUP / abuse reports | abuse@glassplateworks.com |
| Security disclosures | security@glassplateworks.com |
| Legal correspondence | legal@glassplateworks.com |
| General support | support@glassplateworks.com |
Postal:
Glass Plate Works LLC Attn: Privacy Officer 522 W Riverside Ave, Ste N Spokane, WA 99201 United States
If you are a resident of Canada and wish to file a complaint with
your data-protection authority, you may contact the Office of
the Privacy Commissioner of Canada at priv.gc.ca. Quebec
residents may also contact the Commission d'accès à
l'information du Québec at cai.gouv.qc.ca.
If you are a California resident, you may also contact the
California Privacy Protection Agency at cppa.ca.gov.