Privacy Policy

Last updated: 11 July 2026

1. Who we are

Ghloria is a product of Threadflare, LDA, a Portuguese company with NIPC 519407369 and registered office at Rua Snu Abecassis, nº 4, 6D, 1750-062 Lisboa, Portugal. Threadflare, LDA is the controller of personal data collected through the public Ghloria website and waitlist.

Questions about this Policy or requests concerning personal data may be sent to hello@ghloria.com.

2. Scope of this Policy

This Policy applies when you visit ghloria.com, contact us, join the waitlist, communicate with our team, or otherwise interact with the public website. It does not govern personal data processed inside the Ghloria SaaS platform on behalf of an agency customer. That processing is governed by the relevant customer agreement and data processing terms.

The public website is intended primarily for travel agencies, their personnel, prospective business customers, partners, and job candidates.

3. Information you provide

When you join the waitlist or contact us, we may collect your name, agency or company name, professional email address, telephone number, estimated proposal volume, operational challenges, preferred contact time, language, consent selections, and the content of your message.

If you apply for a role or begin a commercial discussion with us, we may also collect the professional, contractual, and correspondence information that you choose to provide. Please do not submit passport details, payment-card information, health information, or other sensitive traveler data through the public website.

4. Information collected automatically

When you use the website, our systems and infrastructure providers may receive technical information such as IP address, browser and device type, operating system, requested pages, referring page, approximate location derived from IP, timestamps, error and security events, and performance measurements.

We use this information to deliver and secure the website, diagnose faults, understand aggregate performance, and prevent abuse. We do not use the public website to make decisions that produce legal or similarly significant effects about you.

5. Cookies and similar technologies

The website may use strictly necessary storage for functions such as remembering language preferences and maintaining security. We may also use privacy-conscious performance measurement to understand page speed and reliability.

If we introduce non-essential advertising, profiling, or analytics cookies, we will request consent where required and provide controls to withdraw it. You can also manage cookies through your browser, although blocking necessary storage may affect some features.

6. Why we use personal data

We use personal data to operate and secure the website; manage the waitlist and early-access programme; respond to enquiries; assess whether Ghloria may fit an agency's operations; arrange demonstrations and commercial conversations; maintain business records; improve our communications and website; establish, exercise, or defend legal claims; and comply with legal obligations.

Our legal bases under the GDPR are steps requested before entering a contract, our legitimate interests in operating and developing a B2B service and communicating with prospective customers, compliance with legal obligations, and consent where the law specifically requires it. Where processing relies on consent, you may withdraw it at any time without affecting earlier lawful processing.

7. How we obtain information

We generally obtain information directly from you. We may also receive professional contact information from a colleague at your organisation, a referral partner, public professional profiles, event organisers, or other legitimate business sources. Where required, we will provide the relevant privacy information within the period established by law.

8. Service providers and recipients

We disclose personal data only where reasonably necessary to operate the website and our business. Recipient categories may include cloud hosting and infrastructure providers, database and storage providers, email delivery and communications providers, professional advisers, and public authorities where disclosure is legally required.

Our current infrastructure may involve Google Cloud, Supabase, Vercel, and Resend. These providers process data under their own contractual and security commitments and only for the services we request. We may also disclose information in connection with a financing, reorganisation, merger, acquisition, or sale, subject to appropriate confidentiality and legal safeguards.

9. International transfers

Ghloria configures production data storage in the European Union. Some service providers may be headquartered outside the European Economic Area or provide limited support from other countries. If a transfer outside the EEA occurs, we will use a lawful transfer mechanism, such as an adequacy decision or approved standard contractual clauses, together with supplementary safeguards where appropriate.

10. Retention

We keep personal data only for as long as reasonably necessary for the purpose for which it was collected. Waitlist and prospect information may be retained while an early-access or potential business relationship remains active and is reviewed periodically. We remove or anonymise it when it is no longer needed, when a valid erasure or objection request applies, or when continued retention is not justified.

Correspondence, security records, and contractual or legal records may be retained for the periods needed to provide support, comply with law, resolve disputes, and establish or defend claims. Data in backups is removed through the normal backup-rotation cycle. Retention may be extended where required by law, litigation hold, or an active dispute.

11. Security

We use proportionate technical and organisational measures intended to protect personal data against accidental or unlawful loss, alteration, disclosure, or access. Measures are selected having regard to the nature of the data, available technology, implementation cost, and processing risk.

No internet service can guarantee absolute security. You should use appropriate care when sending information online and notify us promptly if you suspect misuse of Ghloria communications or systems.

12. Your data protection rights

Subject to the conditions in applicable law, you may request access to your personal data, correction of inaccurate data, erasure, restriction of processing, data portability, or object to processing based on legitimate interests. You have an unconditional right to object to direct marketing. You may also withdraw consent where consent is the legal basis.

Send requests to hello@ghloria.com. We may request reasonable information to verify your identity and will respond within the period required by law. These rights are not absolute, and we may retain information where a lawful exception applies.

13. Complaints

Please contact us first so that we can try to resolve your concern. You also have the right to lodge a complaint with the Portuguese supervisory authority, Comissão Nacional de Proteção de Dados (CNPD), or with the supervisory authority in your habitual residence, place of work, or place of the alleged infringement.

14. Children

The public website and waitlist are directed to business professionals and are not intended for children. We do not knowingly collect personal data from children through these services. If you believe a child has provided information to us, contact hello@ghloria.com so that we can assess and delete it where appropriate.

15. Changes to this Policy

We may update this Policy to reflect changes in our website, business, providers, or legal obligations. We will publish the revised version here and update the date above. Where a change materially affects how we use personal data, we will provide an additional notice when appropriate.