Privacy Policy
Last updated: June 10, 2026
This policy describes how Globalesm, Inc. (“Globalesm”, “we”) collects, uses, and protects personal data in connection with the Globalesm One platform at one.globalesm.com (the “Service”). For data your organization stores in the Service about its own clients and staff, your organization is the data controller and we act as a processor on its instructions.
1. Data We Collect
- Account data - name, work email, organization name, role, and authentication identifiers from our sign-in provider.
- Customer content - the data your organization submits: time entries, projects, clients, invoices, expenses, contractor and HR records, documents, and connected-integration data you authorize.
- Billing data - subscription status and seat counts. Card details are collected and stored by Stripe, not by us.
- Usage and log data - IP address, browser type, pages and actions (including an audit trail of changes made inside your organization), and request identifiers used for security and troubleshooting.
2. How We Use Data
- To provide, operate, secure, and support the Service.
- To process subscription payments and manage trials.
- To send transactional email (sign-in, invitations, approval and billing notices, notifications your organization configures).
- To investigate abuse and comply with legal obligations.
We do not sell personal data, and we do not use your customer content for advertising or to train foundation AI models.
3. AI Features
When you use AI features (the in-app assistant, AI-powered search, or an AI client you connect via our MCP server), the content involved in your request is processed by our AI subprocessor (Anthropic) to generate the response. Connected AI clients act under your user account and can only access what your role permits, limited further by the scopes you approve when connecting.
4. Subprocessors
We use the following subprocessors to operate the Service:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting, database, authentication (Cognito), email delivery (SES) | United States (us-east-1) |
| Cloudflare | File and document storage (R2) | United States / global |
| Stripe | Subscription billing and invoice payments | United States |
| Resend | Transactional email delivery | United States |
| Anthropic | AI features (assistant, document search) | United States |
Optional integrations you connect (for example Jira, Gusto, Plaid/Teller, Payoneer, Google or Microsoft calendars, LinkedIn, Harvest) receive or provide data only after an administrator or user of your organization authorizes them, and are governed by their own privacy policies.
5. Security
- Encryption in transit (TLS) and at rest.
- Per-organization isolation enforced at the database layer with row-level security, in addition to application-level role-based access control.
- Audit logging of changes within each organization.
- Credentials for connected integrations are stored encrypted.
6. Data Retention
Customer content is retained while your organization’s account is active. Financial records are soft-deleted rather than destroyed during normal use so your history remains auditable. After account termination, you may request an export for 30 days, after which data is deleted in the ordinary course of operations. Backups are retained for up to 30 days.
7. Your Rights (GDPR and Similar Laws)
Depending on your location, you may have rights to access, correct, export, delete, or restrict processing of your personal data. Organization administrators can initiate a full data export or deletion request directly in the app under Settings → Privacy. Individuals can contact us (or their organization’s administrator, where the organization is the controller) at the address below. We respond within the timeframes required by applicable law.
8. International Transfers
The Service is hosted in the United States. If you use the Service from outside the US, you consent to processing your data in the US. Where GDPR applies, we rely on standard contractual clauses or equivalent safeguards with our subprocessors.
9. Cookies
We use only the cookies necessary to operate the Service: session authentication and security (CSRF) cookies. We do not use advertising or cross-site tracking cookies.
10. Children
The Service is for business use and not directed to anyone under 16.
11. Changes
We may update this policy from time to time. For material changes we will give notice by email or in the app at least 14 days before the change takes effect.
12. Contact
Privacy questions and requests: info@globalesm.com.