Privacy Policy

1. Overview

LucraLab LLC ("LucraLab", "we", "us", or "our") operates the Gleam service available at gleamreply.com. Gleam is an AI-powered review response automation tool designed for local businesses, including healthcare practices.

This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights regarding that information. By using Gleam, you agree to the practices described in this policy.

If you have questions at any time, contact us at hello@gleamreply.com.

2. Data We Collect

Account Information

When you sign up for Gleam, we collect:

• Your name — to personalize communications and your account
• Practice/business name — to configure your brand voice and Google Business Profile connection
• Email address — to send account-related communications, receipts, monthly reports, and alerts
• Mobile phone number — to deliver SMS alerts for new reviews that require your approval. Your phone number is used solely for transactional SMS related to your Gleam account. We never sell, rent, or share your phone number with third parties for marketing purposes.

Staff Phone Numbers

If you use the Staff Review Reminders feature, you may provide the names and mobile phone numbers of your staff members. We collect this information on your behalf — you are the data controller, and Gleam processes staff data as your service provider.

Staff phone numbers are used exclusively to:

• Send a one-time consent invitation (no messages are sent until the staff member opts in by replying YES)
• Send periodic review reminder messages to consented staff members during business hours

Staff phone numbers are never sold, rented, or shared with third parties for marketing. Staff members can opt out at any time by replying STOP.

Google OAuth Tokens

To connect Gleam to your Google Business Profile, you authorize Gleam via Google's OAuth 2.0 flow. We store the resulting access and refresh tokens in encrypted form. These tokens allow Gleam to read your public Google reviews and post AI-generated responses on your behalf. We do not use these tokens to access any other Google services, your Google Drive, Gmail, or any data beyond your Google Business Profile reviews.

Google Business Profile Review Data

Gleam reads publicly visible review data from your Google Business Profile — specifically, the text, star rating, and reviewer display name of reviews that members of the public have already chosen to post on Google. We do not access private messages, your Google Ads data, or any internal practice systems. Only public review text is processed — no patient or customer personally identifiable information (PII) beyond what the reviewer has already made public in their review.

Usage Data

We collect standard service usage information, including:

• Log data (IP addresses, browser type, pages visited, timestamps)
• Feature usage patterns to improve the service
• Error reports and diagnostic information

This data is used in aggregate to improve Gleam and is not sold or shared with third parties for marketing purposes.

3. How We Use Your Data

We use the data we collect solely to provide and improve the Gleam service. Specifically:

• Monitoring reviews: Periodically polling your Google Business Profile for new reviews
• Generating AI responses: Sending review text to our AI system to generate appropriate responses
• Posting responses: Using your authorized Google credentials to post approved responses to Google
• Sending SMS alerts: Notifying you via text message when a low-star review requires your approval
• Billing and account management: Processing subscription payments and sending account-related emails
• Service communications: Sending transactional emails about your account, subscription status, and important updates
• Monthly reputation reports: Emailing a monthly summary of your reviews, ratings, and AI-generated response activity
• Staff review reminders: Sending periodic SMS reminders to staff members who have opted in, asking them to encourage customers to leave reviews
• Service improvement: Analyzing usage patterns to improve features and reliability

We do not sell your personal information. We do not use your data for advertising targeting. We do not share your data with third parties except as described in Section 4 below.

4. Third-Party Services

Gleam relies on the following trusted third-party services to operate. Each is used only for the purpose described:

Stripe (Payments)

Subscription billing is processed by Stripe, Inc. When you subscribe, your payment information is submitted directly to Stripe — we never store credit card numbers on our servers. Stripe's privacy policy is available at stripe.com/privacy.

SendGrid (Email)

Transactional emails (welcome emails, receipts, account notifications) are sent via Twilio SendGrid. Your email address is shared with SendGrid solely to deliver these messages. SendGrid's privacy policy is available at twilio.com/legal/privacy.

Twilio (SMS)

SMS alerts for review approvals are delivered via Twilio, Inc. Your phone number is shared with Twilio solely to deliver these messages. Twilio's privacy policy is available at twilio.com/legal/privacy.

Google (OAuth + Google Business Profile API)

Gleam uses Google's OAuth 2.0 system for authentication and the Google Business Profile API to read reviews and post responses. Your use of Google's services is subject to Google's Privacy Policy.

OpenAI (AI Response Generation)

Review text is sent to OpenAI's API to generate response drafts. Review text submitted to OpenAI is used only for generating the response and is subject to OpenAI's API data usage policies. We use the API under terms that restrict OpenAI from using submitted data to train their models. OpenAI's privacy policy is available at openai.com/privacy.

We do not share your personal account information (name, email, phone) with OpenAI. Only the text of reviews (which is already public) is sent for AI processing.

5. No PHI — Healthcare Practices

Gleam is not connected to your electronic health records (EHR), practice management software, scheduling system, or any internal patient database. We have no access to patient names, diagnoses, treatment details, insurance information, or any other clinical data.

Our AI is explicitly instructed to never acknowledge, reference, or confirm any health-related details in responses — even if a patient mentions clinical specifics in their review. Gleam only engages with the general sentiment of a review, never its medical content.

Because Gleam operates exclusively on publicly available review data and does not handle PHI, it does not function as a Business Associate under HIPAA.

6. Data Retention

We retain your account data for as long as your subscription is active. After you cancel your subscription:

• Your account data (name, email, phone, practice name) is retained for 30 days to allow for reactivation, then permanently deleted
• Your Google OAuth tokens are revoked and deleted immediately upon cancellation
• Staff phone numbers and reminder records are deleted within 30 days of cancellation
• Review data and AI-generated responses cached in our system are deleted within 30 days of cancellation
• Billing records may be retained for up to 7 years as required by applicable tax and financial regulations

Responses that Gleam has already posted to Google remain on your Google Business Profile — those are public posts on Google's platform, and we have no ability to remove them after posting. If you wish to remove a response, you may do so directly through your Google Business Profile account.

7. Security

We take reasonable technical and organizational measures to protect your data:

• Google OAuth tokens are stored encrypted at rest using AES-256 encryption
• All data in transit is protected using TLS 1.2 or higher
• Access to production systems is restricted to authorized LucraLab personnel
• We use industry-standard cloud infrastructure with SOC 2-certified providers

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at hello@gleamreply.com.

8. Your Rights

You have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Portability: Request your data in a machine-readable format
• Revoke Google Authorization: You can revoke Gleam's access to your Google account at any time through your Google Account settings at myaccount.google.com/permissions

To exercise any of these rights, email hello@gleamreply.com. We will respond within 30 days.

9. GDPR Rights (EEA Residents)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to be Informed: You have the right to know how your data is collected and used (this policy fulfills that obligation)
• Right to Object: You may object to processing of your personal data for direct marketing purposes
• Right to Restrict Processing: You may request that we restrict processing of your data in certain circumstances
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority

Our lawful basis for processing your personal data is performance of a contract — we need your data to provide the Gleam service you subscribed to. Where we send you marketing communications, we rely on legitimate interest or your explicit consent.

For GDPR-related requests, contact hello@gleamreply.com.

10. CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out: You have the right to opt out of the sale of your personal information — we do not sell your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your California rights, contact hello@gleamreply.com with "California Privacy Request" in the subject line.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:

• Update the "Effective Date" at the top of this page
• Send an email notification to all active account holders

Your continued use of Gleam after the effective date of any changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

12. Text Messaging / SMS Communications

Phone Numbers We Collect

When you sign up for Gleam, we collect your mobile phone number for the purpose of delivering SMS (text message) alerts related to your account and review management. If you use the Staff Review Reminders feature, you may also provide the mobile phone numbers of your staff members. We collect and use those numbers as described in Section 2 above.

Consent to Receive Text Messages

By providing your mobile phone number and checking the SMS consent box during sign-up, you expressly opt in to receive text messages from Gleam, a LucraLab product, at the number provided. No messages are sent without your prior consent. Gleam will not send you text messages if you have not checked the consent box during the onboarding process.

Types of Messages We Send

Gleam may send the following categories of SMS to your mobile number:

• Review Alerts: Notifications when a new Google review is posted to your Business Profile, including the review text and an AI-generated draft response for your approval
• Approval Requests: Requests for you to approve, edit, or ignore a suggested review response before it is posted to Google
• Account Notifications: Transactional messages about your Gleam account, including confirmation texts, setup messages, and service status updates
• Optional Marketing Messages: Occasional product updates, feature announcements, tips, and promotional offers — only if you separately opt in to marketing messages during sign-up. These are completely optional.

How to Opt Out

You can opt out of Gleam SMS messages at any time by replying STOP to any message from Gleam. You will receive a one-time confirmation that your opt-out has been processed, and no further messages will be sent. You may also contact us at hello@gleamreply.com to manage your messaging preferences.

Note that opting out of service SMS (review alerts and approval requests) will prevent Gleam from notifying you about reviews that need your attention, which may affect your ability to use certain core features of the service.

Message & Data Rates

Message and data rates may apply. Gleam does not charge you for text messages, but your mobile carrier may apply standard messaging rates. Message frequency varies depending on your review volume and account settings.

No Sale or Sharing of Phone Numbers

Your phone number — and the phone numbers of your staff members — are never sold, rented, or shared with third parties for marketing or advertising purposes. Phone numbers are shared only with Twilio, Inc. (our SMS delivery provider) for the sole purpose of delivering messages to you. See Section 4 (Third-Party Services) for more details.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please reach out: