Glia Quest — Privacy Policy
Effective date: 25 April 2026
1. Introduction and Scope
1.1 About this Policy
This Privacy Policy describes how Glia Hong Kong Holdings Co., Limited ("Glia Quest", "we", "us" or "our") collects, uses, discloses and protects personal data in connection with the Glia Quest service available at glia.quest (the "Service").
1.2 Scope
This Policy applies to: (a) visitors to glia.quest; (b) people who join our waitlist; (c) people who register an Account and use the Service; and (d) people whose personal data is provided to the Service by a Customer (for example, named test users).
1.3 Relationship with the Terms of Service
This Policy forms part of the agreement between Glia Quest and our Customers. Capitalised terms used but not defined here have the meanings given in the Terms of Service.
1.4 Applicable Frameworks
We design our processing activities to comply with: (a) the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (the "PDPO"); (b) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR") and the UK GDPR for individuals in the EEA and the UK; and (c) the Personal Data Protection Act 2012 of Singapore (the "Singapore PDPA") in relation to data hosted in Singapore.
2. Data Controller Identity and Contact Details
2.1 Controller
The data controller for the personal data described in this Policy is:
Glia Hong Kong Holdings Co., Limited
Company number: 79614428
Registered office: Room 5003, 5F Yau Lee Centre, 45 Hoi Yuen Road, Kwun Tong, Hong Kong
2.2 Privacy Contact
Privacy questions, requests and complaints can be sent to: privacy@glia.quest, or by post to the registered office above marked for the attention of the Privacy Officer.
2.3 EU Representative
Glia Quest's EU representative under Article 27 of the GDPR is [TO BE APPOINTED]. Contact: [TO BE CONFIRMED].
2.4 UK Representative
Where required, Glia Quest's UK representative under Article 27 of the UK GDPR is [TO BE APPOINTED]. Contact: [TO BE CONFIRMED].
3. What Personal Data We Collect
3.1 Account Data
When a Customer registers, we collect: name, email address, company name (where provided), password (stored as a one-way hash), country of residence (where provided) and any preferences set in the Account.
3.2 Usage Data
When a person uses the Service or visits glia.quest, we collect: IP address, device information (browser type and version, operating system), pages viewed, actions taken in the Service, timestamps of access and language preference.
3.3 Test Run Data
When a Customer initiates a Test Run we receive: the Target URL, configuration of toggles selected, any Credentials submitted for authenticated testing and any other data the Customer chooses to submit. The Service may incidentally process personal data of the Customer's end users that is rendered by the application during a Test Run (see clause 5).
3.4 Payment-Associated Data
When a Customer purchases Credits, the Customer's name, email address and billing country are passed to Stripe for payment processing. We do not receive or store full payment card numbers; we receive a Stripe customer identifier and the last four digits of the card for display purposes.
3.5 Waitlist Data
If a person joins the waitlist, we collect their email address and any optional information they provide (for example, the URL of an application they would like to test).
3.6 Communications
If a person contacts us by email, web form or social media, we collect the contents of the communication, the contact details used and any other information they choose to share.
3.7 Cookies and Similar Technologies
See clause 11 for the cookies we use.
4. How We Use Your Personal Data and Lawful Bases (GDPR)
4.1 Processing Activities and Lawful Bases
For individuals to whom the GDPR applies, we rely on the following lawful bases under Article 6 of the GDPR:
| Processing Activity | Categories of Personal Data | Lawful Basis |
|---|---|---|
| Creating and managing the Account | Name, email, password hash, country | Performance of contract (Art. 6(1)(b)) |
| Performing Test Runs requested by the Customer | Target URLs, Credentials, Test Run configuration | Performance of contract (Art. 6(1)(b)) |
| Generating, storing and delivering Work Product | Test Run data, derived navigation maps and reports | Performance of contract (Art. 6(1)(b)) |
| Processing payments through Stripe | Name, email, billing country, Stripe identifier | Performance of contract (Art. 6(1)(b)) |
| Detecting and preventing fraud, abuse and unauthorised access | Account data, usage data, IP address | Legitimate interests in protecting the Service, our Customers and third parties (Art. 6(1)(f)) |
| Improving and securing the Service through aggregated, de-identified analytics | Aggregated, de-identified usage and Test Run data | Legitimate interests in operating and improving the Service (Art. 6(1)(f)) |
| Sending service-related notifications (transactional email) | Email address | Performance of contract (Art. 6(1)(b)) |
| Sending direct marketing about similar services to existing Customers | Email address, Account data | Legitimate interests, with opt-out (Art. 6(1)(f)) |
| Responding to data subject rights requests and regulatory enquiries | Account data, communication contents | Legal obligation (Art. 6(1)(c)) |
| Communicating with waitlist subscribers about launch | Email address, optional URL | Consent (Art. 6(1)(a)) |
4.2 Legitimate Interests Balancing
Where we rely on legitimate interests, we have considered the impact on individuals and concluded that our interests do not override their rights and freedoms. Individuals have the right to object to processing on this basis as set out in clause 9.
4.3 PDPO Compliance
For all individuals, our processing follows the six Data Protection Principles under the PDPO:
(a) DPP1 — Personal data is collected by lawful and fair means for purposes directly related to a function or activity of Glia Quest. The purposes and the classes of transferees are disclosed in this Policy.
(b) DPP2 — Personal data is kept accurate and is retained only for as long as necessary for the purpose for which it is collected (see clause 7).
(c) DPP3 — Personal data is used only for the purpose for which it was collected or a directly related purpose, unless the data subject's prescribed consent is obtained.
(d) DPP4 — We take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss or use (see clause 8).
(e) DPP5 — This Policy fulfils the openness obligation by disclosing the kind of personal data we hold and our policies and practices for handling it.
(f) DPP6 — Data subjects have the right to ascertain whether we hold personal data about them and to access and correct that data (see clause 9).
5. The Authenticated Testing Scenario
When a Customer provides Credentials for authenticated testing, our AI agent navigates the Customer's application as an authenticated user. We do not intentionally collect, extract or store personal data of the Customer's end users encountered during testing. Screenshots captured during testing may incidentally contain end-user data; these screenshots are held temporarily and deleted after the Test Report is delivered to the Customer.
The Customer is responsible for ensuring that its use of Glia Quest for authenticated testing complies with its own privacy policy and any Applicable Law governing its relationship with its end users. The Customer warrants in the DPA that it will not submit Credentials for applications that contain sensitive special-category personal data without first putting in place the additional contractual provisions referenced in the DPA.
6. Sharing Your Personal Data with Third Parties
6.1 Sub-Processors
We use the following Sub-Processors to deliver the Service. Each is bound by contractual obligations to protect personal data and to process it only on our instructions, with appropriate transfer mechanisms where applicable.
| Sub-Processor | Role | Location of Processing |
|---|---|---|
| Supabase (operated on Amazon Web Services) | Database hosting: Account data, Work Product, Test Run metadata | Singapore (AWS ap-southeast-1) |
| Anthropic, PBC | AI inference (Claude API): processing of Target URL data, navigation instructions and application structure | United States |
| Browserbase | Browser infrastructure for Test Run execution | United States and European Union |
| Stripe, Inc. | Payment processing | United States |
6.2 Other Recipients
We may also disclose personal data to:
(a) Professional advisers (lawyers, accountants and auditors) under obligations of confidentiality, where necessary to receive their advice or to protect our rights;
(b) Authorities where required by Applicable Law or by an order of a competent court or regulator;
(c) Successors in connection with a merger, acquisition, reorganisation, sale of assets or similar corporate transaction, subject to appropriate confidentiality protections; and
(d) Other parties with the relevant individual's consent.
6.3 No Sale of Personal Data
We do not sell personal data, and we do not share personal data for cross-context behavioural advertising.
7. International Data Transfers
7.1 Transfers Outside Hong Kong
Operating the Service requires transfers of personal data outside Hong Kong:
(a) Account data, Work Product and Test Run metadata are stored on Supabase infrastructure hosted in Singapore (AWS ap-southeast-1).
(b) Test Run data is sent to Anthropic in the United States for AI inference.
(c) Browser sessions used to perform Test Runs run on Browserbase infrastructure in the United States and the European Union.
(d) Payment data is sent to Stripe in the United States.
7.2 Hong Kong PDPO
Section 33 of the PDPO has not been brought into force. Where personal data is transferred from Hong Kong, we rely on contractual safeguards with our Sub-Processors and process the data only for the purposes for which it was collected, in line with DPP3 and DPP4.
7.3 GDPR Transfers
For personal data of individuals in the European Economic Area or the United Kingdom, we rely on the following transfer mechanisms under Chapter V of the GDPR (and the equivalent UK regime):
(a) Supabase — the European Commission's Standard Contractual Clauses (modules as applicable), as incorporated into the Supabase data processing agreement;
(b) Anthropic — the European Commission's Standard Contractual Clauses, as incorporated into the Anthropic data processing agreement, together with Anthropic's zero-default-retention API configuration;
(c) Browserbase — the European Commission's Standard Contractual Clauses, as incorporated into the Browserbase terms; and
(d) Stripe — the European Commission's Standard Contractual Clauses, as incorporated into Stripe's data processing agreement.
We have conducted, and update from time to time, a transfer impact assessment for transfers to the United States. Copies of the Sub-Processors' transfer documentation are available on request.
7.4 Singapore PDPA
Where personal data is transferred from Singapore to a country outside Singapore (for example, to Anthropic in the United States), we ensure that the recipient is bound by legally enforceable obligations to provide a comparable standard of protection to that under the Singapore PDPA, as required by section 26 of the Singapore PDPA.
8. Security Measures
8.1 Technical and Organisational Measures
We use technical and organisational measures designed to protect personal data, including: encryption of data in transit using current TLS standards; encryption of Credentials and other sensitive data at rest using AES-256 (or equivalent); access controls based on role and least privilege; multi-factor authentication for our personnel; logging and monitoring of access to systems holding personal data; regular review of Sub-Processor security practices; and incident response procedures.
8.2 No Absolute Security
No method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security of personal data.
8.3 Breach Notification
If we become aware of a personal data breach that affects a Customer's personal data, we will notify the affected Customer without undue delay and in any event within seventy-two (72) hours of discovery, in line with the GDPR. Where the law requires it, we will also notify the relevant supervisory authority and affected data subjects within the timescales set by Applicable Law. Our processor-side breach notification commitment to Customers is set out in the DPA.
9. Your Rights
9.1 Rights under PDPO
Under the PDPO, you have the right to:
(a) ask us whether we hold any personal data about you;
(b) request a copy of personal data we hold about you; and
(c) request that we correct any personal data that is inaccurate.
9.2 Rights under GDPR
For individuals in the EEA, the UK or otherwise where the GDPR applies, you have the right to:
(a) Access — request a copy of personal data we hold about you (Art. 15);
(b) Rectification — request correction of inaccurate or incomplete personal data (Art. 16);
(c) Erasure — request deletion of personal data in certain circumstances (Art. 17);
(d) Restriction — request that we restrict the processing of your personal data in certain circumstances (Art. 18);
(e) Portability — receive personal data you provided to us in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible (Art. 20);
(f) Object — object to processing based on legitimate interests, including profiling, and to direct marketing (Art. 21);
(g) Withdraw consent — withdraw consent at any time where we rely on consent, without affecting the lawfulness of prior processing (Art. 7);
(h) Not be subject to solely automated decision-making that produces legal or similarly significant effects (Art. 22) — we do not currently make such decisions;
(i) Lodge a complaint with a supervisory authority (see clause 15).
9.3 Rights under Singapore PDPA
Where the Singapore PDPA applies, you have the right to request access to and correction of personal data we hold about you, and to withdraw consent on which we rely.
9.4 California Residents
If you are a California resident, additional rights may apply to you under the California Consumer Privacy Act, including the right to know what personal information we have collected, to request deletion and to opt out of the sale or sharing of personal information. Glia Quest does not sell or share personal information for cross-context behavioural advertising. We will respond to verified requests in accordance with Applicable Law.
9.5 How to Exercise Your Rights
You can exercise your rights by contacting us at privacy@glia.quest. We may need to verify your identity before responding. We will respond within the time required by Applicable Law (and in any event within thirty (30) days for GDPR requests, extendable by a further sixty (60) days where necessary, with notice).
10. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at privacy@glia.quest and we will take steps to delete that data.
11. Cookies and Tracking
11.1 Essential Cookies Only
We use only strictly necessary cookies. These are:
(a) a session cookie that authenticates the Customer to the Account and keeps the Customer signed in; and
(b) Stripe.js cookies set by Stripe on payment pages for fraud prevention and to enable secure payment processing.
11.2 No Analytics or Marketing Cookies
We do not currently use cookies for analytics, advertising, profiling or behavioural tracking. As a result, no cookie consent banner is required for the Service. If we add non-essential cookies in the future, we will update this Policy and provide an appropriate consent mechanism.
11.3 Browser Controls
You can configure your browser to reject cookies. Rejecting strictly necessary cookies will impair the operation of the Service and may prevent you from signing in.
12. Stripe Payment Processing
Payment processing for the Service is handled by Stripe, Inc. ("Stripe") and its affiliates. When a Customer purchases Credits:
(a) Stripe collects and processes the Customer's payment data, including card or bank-account details, name and billing address, as a separate data controller for its own fraud-prevention and compliance purposes;
(b) Stripe is responsible for the security and lawful processing of payment data in accordance with Stripe's own privacy policy, available at stripe.com/privacy; and
(c) Glia Quest does not receive, store or have access to the Customer's full payment card number. Glia Quest receives a Stripe customer identifier, the last four digits of the card and a transaction reference.
Customers should review Stripe's privacy notice to understand how Stripe processes their payment data.
13. Third-Party Services
13.1 Anthropic Claude API
Test Run data (including Target URLs, navigation instructions and application structure data) is processed by Anthropic, PBC ("Anthropic") through the Claude API. We confirm that:
(a) Anthropic does not use API inputs or outputs to train its AI models;
(b) Anthropic retains API data for a maximum of thirty (30) days for abuse-monitoring purposes, after which it is deleted; and
(c) the Anthropic Claude API is governed by Anthropic's privacy policy and API terms.
We have entered into a data processing agreement with Anthropic that incorporates the European Commission's Standard Contractual Clauses for transfers to the United States.
13.2 Supabase
Supabase provides the database and authentication platform on which the Service runs. Supabase processes data in Singapore on AWS infrastructure (ap-southeast-1) and is bound by a data processing agreement with us that incorporates the European Commission's Standard Contractual Clauses.
13.3 Browserbase
Browserbase provides the browser infrastructure used to execute Test Runs. Browser sessions run in Browserbase's data centres in the United States and the European Union and are bound by Browserbase's terms and applicable transfer mechanisms.
14. Data Retention
14.1 Retention Periods
We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the following table.
| Data Category | Retention Period |
|---|---|
| Account data (name, email, company) | Duration of the Account, plus 90 days after closure |
| Test Run results, navigation maps, reports | 12 months from generation; longer if the Customer chooses to keep them in the Account |
| Screenshots | Deleted promptly after the relevant Work Product has been delivered to the Customer |
| Credentials submitted for authenticated testing | Deleted promptly after the relevant Test Run; in any event no longer than 24 hours |
| Application URLs submitted for testing (Target URLs) | 12 months; de-identified or deleted thereafter |
| Payment records (Stripe transaction reference, amount, date) | 7 years, to meet accounting and tax obligations under Hong Kong law |
| Waitlist email addresses | 24 months from sign-up, or until an Account is created, whichever is earlier |
| Security and access logs | 90 days |
| Anthropic API logs | A maximum of 30 days, controlled by Anthropic |
| Records of data subject rights requests | 3 years from response, to evidence compliance |
14.2 Beyond the Retention Period
After the relevant retention period, we delete or anonymise personal data, except where we are required by Applicable Law to retain it (for example, for accounting or to defend legal claims) or where the data has been aggregated and de-identified so that it no longer identifies any individual.
15. Changes to this Policy
15.1 Updates
We may update this Policy from time to time to reflect changes in our practices, the Service or Applicable Law. The "Effective date" at the top of the Policy indicates when it was last updated.
15.2 Notice
Where a change is material, we will give at least thirty (30) days' prior notice by email to the address registered to the Account or by prominent notice in the Service before the change takes effect.
16. Contact and Complaints
16.1 Contact
To contact us about privacy, write to privacy@glia.quest or by post to the registered office set out in clause 2.1.
16.2 Complaints
If you have a complaint about how we have handled your personal data, please contact us first so that we can try to resolve it. You also have the right to lodge a complaint with the relevant supervisory authority:
(a) Hong Kong — Office of the Privacy Commissioner for Personal Data (PCPD): pcpd.org.hk;
(b) EEA — the data protection authority of your country of habitual residence, place of work or alleged infringement;
(c) United Kingdom — the Information Commissioner's Office: ico.org.uk; and
(d) Singapore — the Personal Data Protection Commission: pdpc.gov.sg.