Legal
Privacy Policy
Transparency is the product, so it is also the policy. This explains exactly what we collect, why, who else touches it, and the control you keep.
Last updated: 30 June 2026
1. Who we are
Glytos is a platform for building, testing, and running real-time voice and chat AI agents. This policy covers the Glytos website, dashboard, and APIs (the "Service"). When you use Glytos to serve your own users, you are the data controller for your end users data and Glytos acts as your processor; for your own account data, Glytos is the controller.
2. Data we collect
We collect only what the Service needs to function:
- Account data: name, email, password (stored only as a salted bcrypt hash), organization, and billing details.
- Agent and configuration data: the prompts, workflows, knowledge bases, and settings you create.
- Conversation data: transcripts, structured extractions, per-step cost and latency, and call audio when you enable recording.
- Usage and billing data: call counts, minutes, credit balance, and provider cost metering.
- Technical data: IP address, browser/device information, and request logs kept for security and debugging.
3. How we use it
To provide and operate the Service: run your agents, render transcripts, cost and latency in your dashboard, meter usage, bill credits, secure accounts, and provide support. We do not sell your data, and we do not use your conversation content to train our own models.
4. Conversation and voice data
Conversations are processed in real time to transcribe speech, decide responses, and synthesize voice. Recording is off unless you turn it on per agent, and HIPAA mode disables recording entirely.
Optional PII redaction removes emails, phone numbers, and card/ID-like numbers from stored transcripts when a call ends. You decide what is retained and for how long.
5. Subprocessors and your own keys
To deliver speech and intelligence, conversations may be routed, based on the providers you select, to third-party model, speech-to-text, text-to-speech, and telephony providers (for example OpenAI, Anthropic, Google, Deepgram, ElevenLabs, Cartesia, and Twilio or other carriers), plus our cloud hosting and storage providers.
- You choose which providers an agent uses.
- With bring-your-own-keys, requests go directly to your own provider accounts under your contracts with them, and your keys are encrypted at rest.
- Each provider processes data only to return the result for that request.
6. Retention
You control retention. Transcripts and recordings persist until you delete them or your configured retention elapses. API access logs default to 30 days. Deleting an agent, session, or organization removes the associated data, subject to short backup and legal-hold windows.
7. Security
Data is encrypted in transit (TLS) and provider credentials are encrypted at rest. Access is scoped per organization, passwords are bcrypt-hashed, and sessions use signed, expiring tokens. See our Security page for the full posture.
8. Your rights (GDPR and KVKK)
Depending on your location you have rights to access, correct, export, restrict, object to, and delete your personal data. Under Turkey KVKK (Law No. 6698, Article 11) you may also learn whether your data is processed and request it be corrected or erased. The dashboard provides a personal-data export, and you can exercise any right by contacting us.
9. International transfers
Glytos and its subprocessors may process data in countries other than yours. Where required, transfers rely on appropriate safeguards such as standard contractual clauses.
10. Cookies
We use a small number of strictly necessary items: a language preference cookie and a session token to keep you signed in. We do not use advertising or cross-site tracking cookies.
11. Children
The Service is for businesses and is not directed to children under 16. We do not knowingly collect their data.
12. Changes and contact
We will update this policy as the Service evolves and revise the date above. For any privacy request or question, contact contact@glytos.com.