How glomotec processes personal data
This Privacy Policy explains how glomotec and glomotec (together, “glomotec”) collect, use, store, share, and protect personal data when you access glomotec.com, the SIGNAL qualification platform at signal.glomotec.com, or any other module of the glomotec platform.
It is incorporated by reference into the Terms of Use and supplements them. It is written to satisfy the United Kingdom General Data Protection Regulation, the European Union General Data Protection Regulation, the California Consumer Privacy Act and California Privacy Rights Act, the United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and applicable data protection law in every jurisdiction in which glomotec operates.
Where mandatory data protection laws in your jurisdiction grant you rights or protections beyond those described here, those mandatory provisions apply and your statutory rights are preserved in full.
This Privacy Policy is issued by glomotec, Inc., a corporation incorporated in the State of Delaware, United States of America, with registered office at 131 Continental Drive, Suite 305, Newark, DE 19713, United States, together with its affiliates (collectively, “glomotec”).
The affiliates of glomotec, Inc., which operate as regional licensees of the platform, are:
Global Mobility Technologies LLC, a limited liability company organised under the laws of the State of Wyoming, United States of America, with registered office at 1309 Coffeen Avenue, STE 15705, Sheridan, WY 82801, and principal place of business at 809 Cuesta Drive, Suite B PMB 1177, Mountain View, CA 94040. Joint controller for processing under UK GDPR and EU GDPR.
GLOMOTEC LTD, a private limited company registered in England and Wales under Companies House registration number 13211798, with registered office at Suite 116, Lovell House, Birchwood Park, Warrington, Cheshire WA3 6FW, United Kingdom. Joint controller for processing under UK GDPR and EU GDPR.
RM Project Management Services Co. LLC, a limited liability company licensed in the Emirate of Dubai, United Arab Emirates under Department of Economy and Tourism licence number 1158581, with offices at 114 Al Fajer Complex, Umm Hurair Road, Dubai, United Arab Emirates. Independent controller for processing under the UAE Personal Data Protection Law.
References in this Privacy Policy to “glomotec,” “we,” “us,” or “our” mean glomotec, Inc. and its affiliates, except where the context requires otherwise. Where a glomotec affiliate acts as controller for the personal data of users in a particular jurisdiction, that affiliate is bound by the same standards set out in this policy, applied through the local regulatory framework in force in that jurisdiction.
Region-specific rights and the supervisory authorities to which you may complain are set out in Sections 20 to 24.
Notices and correspondence concerning this Privacy Policy must be addressed to glomotec, Inc. at its registered office in Newark, Delaware, or care of Global Mobility Technologies LLC at its Mountain View principal place of business, or by email to privacy@glomotec.com.
1.1 Who this applies to
This Privacy Policy applies to every person (a “data subject”) whose personal data is processed by glomotec, including visitors to glomotec.com, users of the SIGNAL qualification platform at signal.glomotec.com, individuals who submit a contact or partnership form, candidates who submit a CV through the careers process, partners and counterparties whose representatives interact with the platform, and any other natural person whose personal data we process in the course of operating the platform.
1.2 Who the controller is
For the purposes of the United Kingdom GDPR, the European Union GDPR, the United Arab Emirates PDPL, and equivalent law, the data controllers responsible for the processing described in this Privacy Policy are:
- Global Mobility Technologies LLC, a limited liability company organised under the laws of the State of Wyoming, United States of America, with principal place of business at Mountain View, California, United States. Joint controller under UK GDPR and EU GDPR.
- GLOMOTEC LTD, a private limited company registered in England and Wales (Companies House registration number 13211798), with registered office at Birchwood Park, Warrington, United Kingdom. Joint controller under UK GDPR and EU GDPR, responsible for processing related to United Kingdom users and operations.
- RM Project Management Services Co. LLC, a limited liability company licensed in the Emirate of Dubai, United Arab Emirates (Department of Economy and Tourism licence number 1158581), with offices at Umm Hurair Road, Dubai. Independent controller under the UAE Personal Data Protection Law for processing of United Arab Emirates resident data.
Where this Privacy Policy refers to “glomotec,” “we,” “us,” or “our,” it refers to whichever of these entities is the controller for the processing in question. Global Mobility Technologies LLC and GLOMOTEC LTD operate as joint controllers in respect of certain processing activities under UK GDPR and EU GDPR, including platform operation, security, and sub-processor engagement, and have entered into a joint controller arrangement consistent with Article 26 of the UK GDPR and the EU GDPR. The essence of that arrangement is available on request. RM Project Management Services Co. LLC acts as an independent controller for the personal data of United Arab Emirates residents under the UAE Personal Data Protection Law and is not party to the Article 26 joint controller arrangement.
1.3 Scope of the platform
This Privacy Policy covers all websites, applications, application programming interfaces, downloadable software, and services made available by glomotec, including the SIGNAL qualification platform, the COMPASS execution layer, the VECTOR talent mobility infrastructure, the ORBIT partner network, the ENGINE licensable platform, the ATLAS institutional infrastructure, and any other module operated under the glomotec brand.
1.4 Other documents that apply
This Privacy Policy operates alongside the Terms of Use and the Cookie Policy. Where you engage glomotec under a separate written agreement (for example, a Module-specific engagement, an ENGINE licence, or an ATLAS programme), additional or different processing terms set out in that agreement may apply to that engagement. In the event of a conflict between this Privacy Policy and a written agreement signed by both parties, the written agreement controls solely with respect to the engagement it covers.
The following defined terms are used throughout this Privacy Policy. Where a term has a specific meaning under applicable law (including the UK GDPR, the EU GDPR, the CCPA, the CPRA, and the UAE PDPL), the statutory meaning controls.
“Personal data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
“Controller” means the entity that determines the purposes and means of processing personal data.
“Processor” means an entity that processes personal data on behalf of a controller.
“Sub-processor” means a processor engaged by glomotec to process personal data on its behalf in connection with the platform.
“Special category data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. Equivalent terms include “sensitive personal information” under the CCPA / CPRA.
“Pseudonymisation” means the processing of personal data in a way that the data can no longer be attributed to a specific data subject without the use of additional information that is kept separately and subject to safeguards.
“Supervisory authority” means an independent public authority responsible for monitoring the application of data protection law in a relevant jurisdiction.
“Module” means any of SIGNAL, COMPASS, VECTOR, ORBIT, ENGINE, or ATLAS.
The categories of personal data glomotec collects depend on which surface you interact with and how. The list below is comprehensive across the platform; not every category is collected from every user.
3.1 Identity and contact data
- Full name, given name, family name, salutation
- Email address (work, personal, where supplied)
- Phone number (where supplied)
- Postal address (where supplied for commercial or legal correspondence)
- Authenticated identity from a federated provider (Google OAuth) where you elect to sign in with Google, including the identifier issued by that provider, the verified email address associated with that account, and your display name and profile photo where the provider exposes them
3.2 Application and qualification data
Where you interact with the SIGNAL qualification flow, we collect:
- Country of current residence and country of citizenship (passport country)
- Persona classification (individual, family office, enterprise, institutional, advisor, or the eleven-position persona schema in use within SIGNAL)
- Target market or jurisdiction
- Strategic objective (the reason you are exploring mobility)
- Indicative timeline
- Other free-text or structured information you provide during the qualification flow
3.3 Document and case data
Where you submit documents through the platform (passport scans, identity documents, supporting evidence, sponsor letters, financial statements, and similar), we collect the document content and the metadata associated with each document, including filename, format, size, upload timestamp, and any classification you apply.
3.4 Communication data
Where you contact glomotec through any channel (engagement form, email, support request, telephone, video conference, in-app chat), we retain the content and metadata of that communication, including timestamps, the channel used, and any attachments.
3.5 Compliance and screening data
To meet legal obligations under sanctions, anti-money-laundering, counter-terrorist-financing, and similar regimes, we may process information necessary to perform identity verification, sanctions screening, politically-exposed-person screening, source-of-funds verification, and adverse-media screening, including data returned by third-party screening providers under contract with us.
3.6 Technical and device data
- Internet protocol address
- Browser type, version, language, and engine
- Device type, operating system, and screen resolution
- Referring URL and exit URL
- Time zone and approximate location inferred from IP
- Pages viewed, features used, time spent on the platform, click and scroll patterns
- Errors encountered, performance metrics, and security events
3.7 Cookies and similar technologies
We collect data through cookies, local storage, session storage, web beacons, and similar technologies. The categories of these technologies, the specific items in use, and your options for managing them are detailed in the Cookie Policy.
3.8 Inferred and derived data
From the data above, we may derive additional data about you, including (where the SIGNAL flow is engaged) a structured assessment of your mobility position. Derived data is itself personal data and is governed by this Privacy Policy.
3.9 Data we do not deliberately collect
The platform is not intended for the collection of special category data or sensitive personal information unless you affirmatively choose to provide it for a specific purpose connected to your engagement (for example, where a programme requires medical, religious, or political affiliation information). Where such data is provided, it is processed under explicit consent or another lawful basis under Article 9 of the UK GDPR and EU GDPR. See Section 7.
4.1 Directly from you
Most personal data we hold is provided directly by you when you register an account, complete the SIGNAL qualification flow, submit any contact or engagement form, send us a message, upload a document, attend a meeting or call, or otherwise interact with us.
4.2 From third parties
We may receive personal data about you from:
- Authentication providers, where you elect to sign in with a federated identity provider (currently Google). The provider sends us the identity claims associated with your account.
- Compliance and screening providers, where applicable, who return sanctions, politically-exposed-persons, and adverse-media screening results.
- Partner law firms, advisory firms, sponsors, and government services, where you have engaged them and have authorised the exchange of information necessary to support your case or programme.
- Public sources, such as government registries, professional registries, and openly published business information, where relevant to a corporate or institutional engagement.
- Analytics and security providers, who provide aggregated and individual-level data necessary to operate, secure, and improve the platform.
4.3 Automatically
Some data is collected automatically when you interact with the platform, including technical and device data described in Section 3.6 and the cookies and similar technologies described in the Cookie Policy.
We process personal data for the purposes set out below. Each purpose is connected to a lawful basis identified in Section 6.
5.1 To provide the platform and the services you request
- Operating the SIGNAL qualification flow and producing the assessment you have requested
- Operating the COMPASS execution layer in any case in which you are engaged
- Operating the VECTOR talent mobility infrastructure, the ORBIT partner network, the ENGINE licensable platform, and the ATLAS institutional infrastructure for the parties engaged with each
- Authenticating you and managing your account
- Communicating with you about your account, your case, your programme, or your engagement
- Responding to your enquiries, applications, and requests
5.2 To meet legal and regulatory obligations
- Identity verification, sanctions screening, anti-money-laundering, counter-terrorist-financing, anti-bribery, and similar compliance checks
- Recordkeeping under tax, corporate, immigration, and other applicable law
- Responding to lawful requests from government authorities, courts, and regulators
- Investigating and reporting fraud, abuse, or misuse of the platform
5.3 To secure and protect the platform
- Detecting, preventing, investigating, and responding to security incidents
- Protecting the rights, safety, and property of glomotec, our users, our partners, and others
- Maintaining audit trails and integrity records
5.4 To improve the platform and develop new services
- Quality assurance and performance monitoring
- Product research and development, including the development and improvement of the SIGNAL qualification logic and other artificial-intelligence and machine-learning components, in each case in accordance with this Privacy Policy and applicable law
- Aggregated, statistical, and anonymous analysis
5.5 To communicate about glomotec
- Sending operational notifications about the platform, your account, and your engagements
- Sending marketing communications where you have provided consent or where applicable law permits us to rely on legitimate interests
- Conducting client and partner satisfaction surveys
5.6 To exercise legal rights and defend claims
- Establishing, exercising, or defending legal claims, regulatory proceedings, or arbitral disputes
- Internal record-keeping for evidential purposes
Under the UK GDPR and the EU GDPR, glomotec relies on one or more of the following lawful bases for each processing activity. Equivalent provisions of the UAE PDPL, the CCPA, the CPRA, and other applicable laws apply where you are protected by them.
6.1 Performance of a contract (Article 6(1)(b))
Where the processing is necessary for the performance of a contract with you, including the platform terms accepted on use, or to take steps at your request before entering into a contract. This basis covers operating your account, delivering the services you request, processing your submissions, and communicating with you about your engagement.
6.2 Consent (Article 6(1)(a))
Where you have given clear, affirmative consent to a specific processing activity. Consent applies in particular to:
- Marketing communications by email or other channels where applicable law requires opt-in consent
- Non-essential cookies and similar tracking technologies
- Disclosure of your information to a partner law firm, advisory firm, or sponsor
- Processing of special category data where Article 9 applies
You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw, contact privacy@glomotec.com or use the relevant in-platform control.
6.3 Legal obligation (Article 6(1)(c))
Where the processing is necessary for compliance with a legal obligation to which glomotec is subject, including obligations under sanctions, anti-money-laundering, anti-bribery, immigration, tax, corporate, and recordkeeping law in the jurisdictions in which we operate.
6.4 Legitimate interests (Article 6(1)(f))
Where the processing is necessary for the legitimate interests pursued by glomotec or a third party, except where such interests are overridden by your interests, fundamental rights, or freedoms. The legitimate interests we pursue include:
- Operating, securing, and improving the platform
- Preventing fraud and misuse
- Conducting research, analytics, and product development on aggregated or pseudonymised data
- Direct marketing to existing institutional and corporate counterparties (subject to your right to object)
- Establishing, exercising, and defending legal claims
- Maintaining the integrity of compliance and audit records
We carry out a balancing test before relying on legitimate interests. A summary of any specific balancing test is available on request to privacy@glomotec.com.
6.5 Vital interests and public task
In rare cases, glomotec may rely on Article 6(1)(d) (vital interests) or Article 6(1)(e) (public task) of the UK GDPR or EU GDPR. These bases are limited to the narrow circumstances they cover.
Mobility, immigration, residency, and citizenship processes occasionally involve information that constitutes special category data under the UK GDPR and EU GDPR or sensitive personal information under the CCPA / CPRA, including data revealing health status, religious affiliation, political opinion, racial or ethnic origin, biometric data used for unique identification, or data concerning sexual orientation.
7.1 We do not actively seek special category data
The platform is not designed to collect special category data. Where it is necessary in connection with a programme or filing (for example, where a residency programme requires a religious affiliation declaration, or where biometric verification is required), we collect only the minimum necessary and process it under one of the bases below.
7.2 Lawful basis under Article 9
Where we process special category data, we rely on one of the bases under Article 9(2):
- Explicit consent (Article 9(2)(a)) for most processing connected to your case
- Establishment, exercise, or defence of legal claims (Article 9(2)(f)) where applicable
- Substantial public interest (Article 9(2)(g)) for compliance, sanctions, and similar processing where authorised by member-state or domestic law
7.3 Sensitive personal information under the CCPA and CPRA
If you are a California resident, you have the right to limit the use and disclosure of your sensitive personal information. We do not use or disclose sensitive personal information for purposes beyond those permitted under California Civil Code Section 1798.121(a). See Section 22.
The platform is not directed to children. We do not knowingly collect personal data from any individual under the age of eighteen, or such higher age of majority as is set by the law of your jurisdiction.
If you are under that age, do not access or use the platform, do not register for an account, and do not submit any information to glomotec. If we become aware that we have collected personal data from a person below the relevant age without proper parental or guardian authorisation, we will delete that data without undue delay.
If you are a parent or guardian and you believe we hold personal data of a minor, contact privacy@glomotec.com and we will respond promptly.
9.1 Categories of recipient
glomotec discloses personal data to the following categories of recipient and only as necessary for the purposes set out in Section 5:
- Sub-processors who provide infrastructure, processing, and support services on our behalf, identified in the table below
- Affiliated entities within the glomotec group, where the processing requires it
- Partner law firms, advisory firms, sponsors, employers, and government services, only with your consent or instruction, and only to the extent required to deliver the engagement
- Compliance and screening providers, where applicable, to satisfy legal obligations
- Professional advisors of glomotec (auditors, lawyers, accountants), bound by professional duties of confidentiality
- Government, regulatory, judicial, and law-enforcement authorities, where required by law, court order, or lawful request, or to protect the rights, safety, and property of glomotec, our users, our partners, and others
- Counterparties in a corporate transaction, including a merger, acquisition, financing, restructuring, or sale of all or substantially all of the business or assets, with appropriate safeguards and confidentiality protections
9.2 Sub-processors
The named sub-processors currently engaged by glomotec are:
| Sub-processor | Role | Jurisdiction |
|---|---|---|
| Anthropic, PBC | Artificial-intelligence model provider for the SIGNAL intelligence layer | United States |
| Supabase, Inc. | Database, authentication, and storage infrastructure | United States, with regional hosting in eu-west-2 (London) |
| Vercel, Inc. | Application hosting, edge functions, and content delivery | United States |
| Google, LLC | OAuth authentication where you sign in with Google | United States |
| Resend, Inc. | Transactional email delivery | United States |
| Plausible Insights OÜ | Cookieless website analytics | Estonia, European Union |
| Microsoft Corporation | Email, calendar, and document collaboration via Microsoft 365 (where used by glomotec affiliated entities) | United States, with regional data residency where elected |
Each sub-processor is bound by a written data processing agreement that imposes obligations consistent with Article 28 of the UK GDPR and the EU GDPR, including obligations of confidentiality, security, sub-processing approval, breach notification, and assistance with data subject rights. We assess each sub-processor before engagement and on an ongoing basis.
9.3 Notification of changes
Where we engage a new sub-processor or replace an existing one, we update this Privacy Policy. Where you are an enterprise or institutional counterparty bound by a separate written agreement that requires advance notice, we provide that notice in accordance with the agreement.
9.4 No sale of personal data
glomotec does not sell personal data within the meaning of the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, or any other equivalent law. glomotec does not share personal data for cross-context behavioural advertising. See Section 22 for the rights this confers on California residents.
10.1 Where data may be processed
The glomotec platform is operated globally and personal data may be processed in any of the jurisdictions in which glomotec, our affiliates, or our sub-processors operate, including the United States, the United Kingdom, the European Union and the European Economic Area, the United Arab Emirates, and other locations as identified in Section 9.
10.2 Transfer mechanisms
Where personal data is transferred from the United Kingdom or the European Economic Area to a third country that has not received an adequacy decision from the relevant authority, glomotec relies on one or more of the following transfer mechanisms:
- The European Commission’s Standard Contractual Clauses (Decision 2021/914), as updated
- The United Kingdom International Data Transfer Agreement, or the United Kingdom Addendum to the European Standard Contractual Clauses, issued by the Information Commissioner’s Office
- Where applicable, the United Kingdom or European Union Data Privacy Framework programme operated by the United States Department of Commerce, where the relevant recipient is certified
- Specific derogations under Article 49 of the UK GDPR or the EU GDPR, where applicable and limited in scope
We carry out transfer impact assessments where required and apply supplementary technical, organisational, and contractual measures to ensure that personal data is protected to a standard substantially equivalent to that required under the UK GDPR and the EU GDPR.
10.3 Transfers from the United Arab Emirates
Where personal data is transferred from the United Arab Emirates, glomotec applies the safeguards required by Federal Decree-Law No. 45 of 2021, the executive regulations issued under it, and the requirements of the UAE Data Office. Where transfers occur from a Designated Free Zone (including the Dubai International Financial Centre and the Abu Dhabi Global Market), the data protection laws of those zones apply.
10.4 Copy of safeguards
You may request a copy of the relevant safeguards we use for international transfers (with confidential commercial information appropriately redacted) by writing to privacy@glomotec.com.
glomotec retains personal data for as long as necessary to fulfil the purposes for which it was collected, including any legal, regulatory, accounting, or reporting obligation. The table below sets out our default retention periods. Where law mandates a different period, the legal requirement controls.
| Data category | Retention period |
|---|---|
| Account and identity data | Duration of the relationship plus six (6) years from the last interaction, for the establishment and defence of legal claims |
| SIGNAL qualification records | Seven (7) years from completion, consistent with institutional record-keeping norms |
| Documents submitted in connection with a case or programme | Seven (7) years from final action, or longer where mandated by immigration, sanctions, or recordkeeping law |
| Compliance and screening data | Five (5) years from the screening event, or longer where mandated by law |
| Communications (email, support, in-platform messages) | Seven (7) years from the last communication |
| Marketing data | Until you withdraw consent or object, plus a short additional period to record the withdrawal |
| Aggregated analytics | Indefinitely, where the data is no longer attributable to an individual |
| Raw event-level analytics | Thirteen (13) months |
| Backups | Up to ninety (90) days on a rolling basis |
| Legal claims records | Until the end of the relevant limitation period plus a margin for review |
11.1 Earlier deletion on request
You may request earlier deletion of your personal data in accordance with Section 14. We will delete or anonymise the requested data unless we are required by law to retain it, in which case we will explain the basis for retention.
11.2 Anonymisation
Where data is anonymised so that it can no longer be attributed to a specific data subject, the resulting data is no longer personal data and may be retained and used by glomotec without the constraints of this Privacy Policy.
glomotec implements technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure, consistent with the requirements of Article 32 of the UK GDPR and the EU GDPR and applicable provisions of the UAE PDPL.
12.1 Technical measures
- Encryption of personal data in transit using TLS 1.2 or higher
- Encryption of personal data at rest using industry-standard algorithms
- Row-level security on the database layer (Supabase) to enforce isolation between users and tenants
- Authentication via federated providers and strong authentication for administrative access
- Network segmentation, access control lists, and least-privilege provisioning
- Regular dependency, library, and platform updates
- Logging, monitoring, and alerting for security-relevant events
12.2 Organisational measures
- Access on a need-to-know and least-privilege basis
- Confidentiality obligations on every employee, contractor, and processor
- Documented information-security policies and procedures
- Vendor due diligence on each sub-processor before engagement and on an ongoing basis
- Periodic review of access rights and security configuration
- Incident-response process with clear roles and escalation
12.3 Breach notification
Where a personal data breach is likely to result in a risk to your rights and freedoms, glomotec will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR or the EU GDPR (or the equivalent obligation under applicable law). Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34, unless an exemption applies.
12.4 Your responsibilities
The security of your account also depends on you. Keep your authentication credentials confidential, use a strong and unique password, enable multi-factor authentication where offered, and notify us promptly at info@glomotec.com of any actual or suspected unauthorised access.
The platform uses cookies, local storage, session storage, and similar technologies to operate the site, authenticate users, remember your preferences, secure the platform, and produce aggregate analytics. Where applicable consent is required, we obtain it through the cookie banner or equivalent mechanism.
The categories of these technologies, the specific items in use, their duration, the parties that set them, and your options for managing them are set out in the Cookie Policy, which forms part of this Privacy Policy.
You may withdraw consent to non-essential cookies at any time through the cookie preferences mechanism on the site, by clearing cookies in your browser, or by contacting us at privacy@glomotec.com.
You have the rights set out below where the law of your jurisdiction grants them. Region-specific rights and the supervisory authorities to which you may complain are set out in Sections 20 to 24.
14.1 Right of access
You have the right to confirmation of whether we are processing your personal data and, where we are, access to that data and to the information required by Article 15 of the UK GDPR and the EU GDPR.
14.2 Right of rectification
You have the right to require us to correct inaccurate personal data and to complete incomplete personal data.
14.3 Right of erasure
You have the right to require us to erase your personal data where one of the grounds in Article 17 of the UK GDPR or the EU GDPR applies, including where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent and no other lawful basis applies, or where the processing is unlawful.
14.4 Right of restriction
You have the right to require us to restrict the processing of your personal data where one of the grounds in Article 18 of the UK GDPR or the EU GDPR applies.
14.5 Right of portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where the conditions of Article 20 of the UK GDPR and the EU GDPR are met.
14.6 Right to object
You have the right to object to the processing of your personal data on the basis of legitimate interests (including profiling), and the right to object to processing for direct marketing at any time. Where you object to direct marketing, we will stop the processing.
14.7 Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
14.8 Right not to be subject to automated decision-making
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. See Section 16.
14.9 Right to lodge a complaint
You have the right to lodge a complaint with the supervisory authority of your jurisdiction. See Section 18.
15.1 Where to send a request
To exercise any right described in Section 14, write to privacy@glomotec.com. You may also send a postal request to glomotec at the address in Section 27. State the right you wish to exercise, the specific personal data or processing concerned (where you can identify it), and the contact channel by which you wish to receive a reply.
15.2 Identity verification
To protect your data, we may need to verify your identity before responding to a request. We will request only the minimum information necessary and will explain why each piece is required. We may decline to act on a request where we cannot reasonably verify the identity of the requester.
15.3 Authorised agent
You may authorise another person or entity to make a request on your behalf. Where you do, we will require evidence of the authorisation and may verify the identity of both you and the agent.
15.4 Response timeline
We will respond to your request without undue delay and in any event within thirty (30) days of receipt. Where the request is complex or where we have received a number of requests from you, we may extend the period by up to a further sixty (60) days, in which case we will inform you of the extension and the reasons for it within the original thirty-day period.
15.5 Fees
Requests are handled free of charge. Where a request is manifestly unfounded or excessive, in particular because it is repetitive, we may charge a reasonable fee that reflects the administrative cost of providing the information or refuse to act on the request. We will explain our reasoning if we do.
15.6 No retaliation
We will not discriminate against you, terminate access, or otherwise penalise you for exercising any right described in this Privacy Policy. Where you are protected by laws that contain non-discrimination provisions (including the CCPA / CPRA), those provisions are honoured.
Right to human review of automated outputs
SIGNAL produces an automated qualification output using artificial intelligence and large language models. The output is informational only. Where applicable law (including UK GDPR Article 22 and EU GDPR Article 22) entitles you to human review of an automated decision producing legal or similarly significant effect, you may request that review at privacy@glomotec.com.
16.1 How SIGNAL works
The SIGNAL qualification flow asks you a structured set of questions and produces an assessment of your mobility position. The assessment is generated by automated systems, including third-party large-language-model providers operating under contract with glomotec. The assessment is informational and does not constitute legal advice, an immigration determination, a financial recommendation, or any binding decision.
16.2 Where Article 22 applies
Where a decision based solely on automated processing of your personal data produces a legal effect concerning you or similarly significantly affects you, Article 22 of the UK GDPR and the EU GDPR grants you the right not to be subject to that decision unless one of the exceptions in Article 22(2) applies. The exceptions include:
- The decision is necessary for entering into, or performing, a contract between you and glomotec
- You have given explicit consent
- The decision is authorised by Union or Member State law (or, in the United Kingdom, by domestic law) that lays down suitable measures to safeguard your rights, freedoms, and legitimate interests
Where one of the exceptions applies, you retain the right to obtain human intervention, to express your point of view, and to contest the decision.
16.3 How to obtain human review
To request human review of any automated output that affects you, write to privacy@glomotec.com describing the output, when it was generated, and the basis on which you request review. A member of the glomotec team will review the output and respond within thirty (30) days.
16.4 Logic, significance, and consequences
The general logic of SIGNAL involves matching the information you provide against structured representations of jurisdictional eligibility frameworks and producing a written assessment. The significance of the output is informational; the consequence of the output is to inform your subsequent steps. The output is not a determination by any government, regulator, or licensed professional, and outcomes in any application or process remain at the discretion of the relevant authority.
17.1 When we may send marketing
We may send you marketing communications about glomotec, our modules, and related developments where:
- You have provided express consent (where the law of your jurisdiction requires it); or
- You are an existing institutional or corporate counterparty and we rely on legitimate interests, where applicable law permits
17.2 How to unsubscribe
Every marketing email contains an unsubscribe link. You may also withdraw consent or object at any time by writing to privacy@glomotec.com. Withdrawal applies to marketing communications and does not affect operational communications about your account, your engagement, or your case, which we will continue to send where relevant.
17.3 Frequency and content
We aim to keep marketing communications infrequent and relevant. We do not engage in mass marketing or third-party sale of contact details.
If you believe that our processing of your personal data violates applicable law, you have the right to lodge a complaint with a supervisory authority.
18.1 We invite you to contact us first
Without prejudice to your right to lodge a complaint at any time, we encourage you to contact us first at privacy@glomotec.com so we can attempt to resolve the matter directly.
18.2 Supervisory authorities
- United Kingdom: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom; ico.org.uk
- European Union and EEA: the supervisory authority of the Member State of your habitual residence, place of work, or place of the alleged infringement. A list is maintained by the European Data Protection Board at edpb.europa.eu
- United Arab Emirates: the UAE Data Office established under Federal Decree-Law No. 45 of 2021. For matters within the Dubai International Financial Centre, the DIFC Commissioner of Data Protection. For matters within the Abu Dhabi Global Market, the ADGM Office of Data Protection.
- California, United States: the California Privacy Protection Agency, cppa.ca.gov, and the California Attorney General, oag.ca.gov
- Other jurisdictions: the relevant supervisory or regulatory authority of your jurisdiction
19.1 Privacy contact
For any question, request, or complaint relating to this Privacy Policy or to the processing of your personal data, contact privacy@glomotec.com.
19.2 Data-protection lead
glomotec has appointed an internal data-protection lead responsible for oversight of our compliance with this Privacy Policy and applicable data protection law. The lead can be reached at privacy@glomotec.com. Where formal designation of a Data Protection Officer is required by Article 37 of the UK GDPR or the EU GDPR, glomotec will appoint a DPO and update this section accordingly.
19.3 United Kingdom controller
For UK GDPR purposes, glomotec (Companies House registration No. 13211798) is the United Kingdom controller responsible for the processing of personal data of UK data subjects.
19.4 European Union representative
glomotec, established outside the European Union, will appoint an Article 27 representative in the European Union where required by Article 27 of the EU GDPR. Where appointed, the representative’s name and contact details will be set out in this section. In the meantime, EU data subjects may direct enquiries to privacy@glomotec.com.
19.5 General contact
General correspondence: info@glomotec.com. Legal correspondence: legal@glomotec.com. Postal address: see Section 27.
If you are in the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply to the processing of your personal data. glomotec is the UK controller.
20.1 Your rights under UK GDPR
The rights described in Section 14 apply in full. The supervisory authority is the Information Commissioner’s Office (ICO), to which you may complain at any time.
20.2 Privacy and Electronic Communications Regulations
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) apply to electronic marketing and the use of cookies and similar technologies in the United Kingdom. Where PECR requires opt-in consent, we obtain it before sending the relevant communication or setting the relevant non-essential cookie.
If you are in the European Union or the European Economic Area, the EU GDPR applies to the processing of your personal data, supplemented by the law of the Member State of your habitual residence and by the ePrivacy Directive (Directive 2002/58/EC) and any implementing national law.
21.1 Your rights under EU GDPR
The rights described in Section 14 apply in full. The lead supervisory authority for any cross-border processing will be determined in accordance with Article 56 of the EU GDPR; in the meantime, you may complain to the supervisory authority of your habitual residence.
21.2 ePrivacy
The ePrivacy Directive applies to electronic communications and the use of cookies and similar technologies in the European Economic Area. Where the implementing national law of your Member State requires opt-in consent, we obtain it before sending the relevant communication or setting the relevant non-essential cookie.
If you are a California resident, the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) and the California Privacy Rights Act apply to the processing of your personal information. Defined terms in this Section have the meanings given in those laws.
22.1 Categories of personal information collected
In the twelve months preceding the publication of this Privacy Policy, glomotec has collected the categories of personal information described in Section 3, which map to the following CCPA categories:
- Identifiers (name, email, phone, IP address, account identifiers)
- Customer records information (Cal. Civ. Code § 1798.80(e))
- Internet or other electronic network activity (browsing, interactions with the platform)
- Geolocation data (approximate, inferred from IP)
- Professional or employment-related information (where you provide it through engagement or careers forms)
- Inferences drawn from any of the above to create a profile reflecting preferences, characteristics, or attitudes (limited to the SIGNAL qualification context)
- Sensitive personal information, only where you affirmatively provide it for a specific purpose
22.2 Sources, purposes, and recipients
The sources from which we collect this information are described in Section 4. The purposes for which we use this information are described in Section 5. The categories of recipient with whom we share this information are described in Section 9. We have not sold personal information and have not shared personal information for cross-context behavioural advertising in the preceding twelve months.
22.3 Your CCPA / CPRA rights
- Right to know: You may request that we disclose to you the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for which we collect or use it, the categories of recipients to which we have disclosed it, and the categories sold or shared (none).
- Right to delete: You may request that we delete personal information we have collected from you, subject to the exceptions in Cal. Civ. Code § 1798.105(d).
- Right to correct: You may request that we correct inaccurate personal information we hold about you.
- Right to opt out of sale or sharing: Although we do not sell personal information or share it for cross-context behavioural advertising, you may exercise this right by writing to privacy@glomotec.com. We honour Global Privacy Control signals where transmitted by your browser.
- Right to limit use of sensitive personal information: You may request that we limit the use of your sensitive personal information to that necessary to perform the services or provide the goods reasonably expected by an average consumer. We do not use sensitive personal information for purposes beyond those permitted under Cal. Civ. Code § 1798.121(a) by default.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA / CPRA rights.
22.4 How to exercise CCPA / CPRA rights
To exercise any of the rights above, write to privacy@glomotec.com. You may also designate an authorised agent to make a request on your behalf, subject to verification.
22.5 Shine the Light
California Civil Code § 1798.83 (Shine the Light) entitles California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not make such disclosures.
If you are a resident of a United States jurisdiction other than California with a comprehensive consumer privacy law in force, the rights granted by that law apply to the extent applicable. As of the effective date of this Privacy Policy, the relevant laws include:
- Virginia: Virginia Consumer Data Protection Act (VCDPA)
- Colorado: Colorado Privacy Act (CPA)
- Connecticut: Connecticut Data Privacy Act (CTDPA)
- Utah: Utah Consumer Privacy Act (UCPA)
- Texas: Texas Data Privacy and Security Act (TDPSA)
- Iowa: Iowa Consumer Data Protection Act
- Indiana: Indiana Consumer Data Protection Act
- Tennessee: Tennessee Information Protection Act (TIPA)
- Montana: Montana Consumer Data Privacy Act
- Oregon: Oregon Consumer Privacy Act
- Delaware: Delaware Personal Data Privacy Act
- New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, and other states whose laws come into force after publication, in each case where applicable
The rights granted under each of these laws generally include rights of access, deletion, correction, portability, opt-out of certain processing (including sale, targeted advertising, and significant profiling), and limitation of use of sensitive personal data. To exercise any right under these laws, write to privacy@glomotec.com. We honour Global Privacy Control signals as a request to opt out where required by applicable state law.
If you are located in or your data is processed within the United Arab Emirates, Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”) and the executive regulations issued under it apply.
24.1 Lawful basis under the PDPL
We process personal data under the lawful bases set out in Article 4 of the PDPL, including consent, performance of a contract, compliance with legal obligation, protection of vital interests, public interest, and legitimate interests of the controller.
24.2 Your rights under the PDPL
Subject to the conditions and exceptions set out in the PDPL, you have rights to information, access, correction, erasure, restriction of processing, transmission of data, objection to automated processing, withdrawal of consent, and complaint to the UAE Data Office.
24.3 Designated Free Zones
For matters within the Dubai International Financial Centre, the DIFC Data Protection Law 2020 applies and the DIFC Commissioner of Data Protection has jurisdiction. For matters within the Abu Dhabi Global Market, the ADGM Data Protection Regulations 2021 apply and the ADGM Office of Data Protection has jurisdiction. We comply with the requirements of each regime where applicable.
24.4 Cross-border transfer under the PDPL
Where personal data is transferred from the United Arab Emirates to a country that does not provide an adequate level of protection, we apply the safeguards permitted under Articles 22 and 23 of the PDPL.
The platform is accessible globally and may be used by individuals in jurisdictions other than those expressly named in Sections 20 to 24. In every jurisdiction:
- The rights granted to you by the data protection law of your jurisdiction apply to the maximum extent
- You may write to privacy@glomotec.com to exercise those rights
- Where local law grants protections beyond those described in this Privacy Policy, the local law controls
- Where this Privacy Policy is more protective than local law, this Privacy Policy applies
glomotec may amend this Privacy Policy from time to time, including to reflect changes in the platform, in our processing activities, in our sub-processors, in applicable law, or in the requirements of supervisory authorities.
The current version is identified in the hero section above and at the top of this page. Where a change is material, we will use reasonable efforts to provide notice through the platform, by email, or by an in-product banner at least thirty (30) days before the effective date, except where earlier effect is required by law or by an immediate security or operational necessity.
Continued access to or use of the platform after the effective date of an amended version constitutes acceptance of that version. Where you do not accept a change, your remedy is to cease using the platform and, where you wish, to request deletion of your personal data in accordance with Section 14.
26.1 Version history
The version and effective date of this Privacy Policy are shown in the hero section above. Earlier versions are retained internally and are available on request to privacy@glomotec.com.
For any matter relating to this Privacy Policy or to the processing of your personal data, contact us using the channels below.
Mountain View, California, United States
Privacy · privacy@glomotec.com
General · info@glomotec.com
Legal · legal@glomotec.com
Companies House Registration
No. 13211798
England and Wales
United Kingdom controller for UK GDPR purposes
By accessing or using the glomotec platform, you confirm that you have read and understood this Privacy Policy. Where you are protected by data protection law in your jurisdiction, the rights granted to you by that law apply in full and are preserved by this Privacy Policy.