Privacy Policy

01

Who we are

Gleam Revenue ("Gleam", "we", "us", "our") is a software-as-a-service company headquartered in New Zealand. We operate the Gleam Revenue platform at gleamrevenue.com, which provides MRR analytics and churn insights for SaaS founders and early-stage businesses.

This Privacy Policy explains how we collect, use, store, and protect information when you use our platform. By using Gleam, you agree to the practices described here.

02

What data we collect

Account information

When you sign up for Gleam, we collect your email address. We use magic-link authentication — we do not collect or store passwords.

Stripe account data

When you connect your Stripe account via OAuth, Gleam reads and stores the following data from your Stripe account to power the dashboard:

• →Subscription records (plan, amount, interval, status, start and end dates)
• →Customer records (name, email address, creation date)
• →Invoice and payment event data (for LTV and payment history calculations)
• →Stripe webhook events (stored for 90 days for debugging and replay purposes)
• →Product and price metadata (plan names, pricing tiers)

Usage data

We collect standard application logs and error reports to maintain and improve the service. This includes page views, feature usage, and error events. This data is processed by Sentry (error monitoring) and Vercel (hosting analytics).

Communications

If you contact us by email, we retain that correspondence to respond to your enquiry and improve our support.

03

How we use your data

We use the data we collect exclusively to provide and improve the Gleam service. Specifically:

• →To calculate and display your MRR, churn, and revenue metrics accurately
• →To send your daily email digest at your chosen time
• →To power the customer detail page and churn feed
• →To generate your month-end forecast
• →To detect and alert you to sync errors or Stripe disconnections
• →To maintain the security and integrity of the platform
• →To respond to support requests

We do not use your data for advertising, profiling, or any purpose other than operating the Gleam service for your benefit.

04

We do not sell your data

We do not sell, rent, license, or otherwise transfer your personal information or your customers' data to any third party for commercial purposes. This is unconditional and applies regardless of any future changes to our business.

05

Third-party services

Gleam uses the following third-party services to operate the platform. Each service has access only to the data necessary for its specific function:

All third-party providers are contractually required to handle data securely and are prohibited from using your data for their own commercial purposes.

06

Data retention

• →Raw Stripe webhook events are retained for 90 days then automatically deleted. This period covers one full quarter and allows us to diagnose any revenue discrepancies.
• →MRR snapshots and churn events are retained for as long as your account is active. They form the historical record that powers your dashboard charts.
• →Account data (your email, preferences, subscription) is retained until you delete your account.
• →Error logs are retained for 30 days via Sentry.

When you disconnect a Stripe account from Gleam, the historical sync data is preserved so your charts remain intact. You can request full deletion at any time (see Section 08).

07

Security

We take the security of your data seriously. The following measures are in place:

• →All Stripe OAuth access tokens are encrypted at rest using AES-256-GCM encryption with unique initialisation vectors
• →All data is transmitted over TLS (HTTPS)
• →Row-Level Security (RLS) is enforced at the database layer — your data is isolated from other users' data at the database level, not just the application level
• →Access tokens are never logged, stored in cookies, or exposed in URLs
• →Error reports have personally identifiable information scrubbed before transmission to monitoring systems

No system is perfectly secure. If you discover a security vulnerability, please contact us immediately at hello@gleamrevenue.com.

08

Your rights

Under the New Zealand Privacy Act 2020 and applicable privacy laws, you have the following rights regarding your personal information:

• →Access: You can request a copy of the personal information we hold about you
• →Correction: You can request that inaccurate information be corrected
• →Deletion: You can request that your account and associated data be deleted
• →Portability: You can request your data in a machine-readable format
• →Disconnection: You can disconnect your Stripe account at any time from Settings within the app

To exercise any of these rights, contact us at hello@gleamrevenue.com. We will respond within 20 working days as required by the New Zealand Privacy Act 2020.

09

Cookies

Gleam uses a single session cookie to maintain your authenticated session after you sign in via magic-link. This cookie is strictly necessary for the service to function and does not track you across other websites. We do not use advertising cookies, tracking pixels, or analytics cookies.

10

Children

Gleam is a business tool intended for adults. We do not knowingly collect personal information from anyone under the age of 18. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

11

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify you by email. Your continued use of Gleam after a change is posted constitutes acceptance of the updated policy.

12

Contact us

If you have any questions about this Privacy Policy or how we handle your data, please contact us: