Privacy

Plain-English data posture.

We pitch dealers on TCPA, FTSA and GLBA compliance. We don’t get to ask them to honor that and then run shady tracking on our own marketing site. This page is the contract.

What we collect from visitors

If you land on a marketing page and don’t fill the demo form, we keep three things, all anonymous:

A stable visitor ID (random string in a cookie), used to dedupe repeat visits so the same person showing up twice doesn’t count as two leads.
A salted, truncated SHA-256 hash of your IP. Used to spot bots and bounce traffic. We never store the raw IP for marketing visits.
Country / city / region (no precise lat/lng) from the request headers. Helps us know which markets are reading the site.

What we don’t collect

Phone-shadow or email-shadow IDs — no Customers.ai, RB2B, Retention.com, Warmleads, or any other identity-graph service. If we don’t have your consent, we don’t un-mask you.
Cross-site browsing history.
Browser fingerprints.
Form-field values you didn’t submit. We may record that a field was focused and how many characters were typed, but never the contents.
Anything inside the authenticated app (/app,/founders, /dashboard). Tracking is scoped to the public marketing surface only.

What we collect when you fill the demo form

The fields on the form: name, email, phone, dealership name. We keep what you typed because you typed it on a form labeled “request a demo.” If you ask us to delete it, we will.

Cookies in plain English

Cookie	What it does	Lifetime	Set when?
`glx_vid`	Stable visitor ID for dedup. Doesn’t carry analytics on its own.	365 days	Always (essential / legitimate interest under GDPR Art. 6(1)(f) for fraud + dedup)
`glx_consent`	Records your choice on the consent banner.	365 days	The moment you click Accept or Decline.
(analytics cookies)	Page-level analytics so we can see which pages help dealers find us. All data is anonymized aggregate — no PII linked to identity.	varies	By default, under GDPR Art. 6(1)(f) legitimate interest. Click Opt out on the banner to pause analytics; the rest of the site keeps working.

How long we keep things

Page-view records and event logs — 180 days, then deleted.
Visitor session records — 365 days, then deleted.
Demo-request records — kept while the opportunity is active. After it closes, archived for 7 years to satisfy dealer record-retention rules (FTSA), then deleted.

Your rights

You can ask us at any time to:

Tell you what we have on you (subject access request).
Delete what we have on you.
Export your data as JSON.
Withdraw consent for analytics — just decline the banner, or clear the glx_consent cookie.

Email privacy@gladiuscrm.com from the address on file. We aim to reply within 72 hours; the statutory ceiling is 30 days under GDPR.

Compliance posture

This doctrine satisfies:

FTSA / TCPA — we don’t buy phone-shadow IDs; calls and SMS only happen on opt-in demo-request data.
GDPR Art. 6(1)(f) (legitimate interest) for the essential glx_vid cookie and salted IP hash pre-consent.
GDPR Art. 6(1)(a) (consent) for analytics cookies. Default-decline; banner accept required.
CCPA — SAR playbook above; analytics are opt-in.
GLBA Safeguards — founder-portal auth gates all NPI; raw IP is not stored in tracking tables.

Questions

Email privacy@gladiuscrm.com or request a demo and ask the founders directly. Privacy email gets a founder reply, not a form letter.

What we collect from visitors

If you land on a marketing page and don’t fill the demo form, we keep three things, all anonymous:

A stable visitor ID (random string in a cookie), used to dedupe repeat visits so the same person showing up twice doesn’t count as two leads.

A salted, truncated SHA-256 hash of your IP. Used to spot bots and bounce traffic. We never store the raw IP for marketing visits.

Country / city / region (no precise lat/lng) from the request headers. Helps us know which markets are reading the site.

What we don’t collect

Phone-shadow or email-shadow IDs — no Customers.ai, RB2B, Retention.com, Warmleads, or any other identity-graph service. If we don’t have your consent, we don’t un-mask you.

Cross-site browsing history.

Browser fingerprints.

Form-field values you didn’t submit. We may record that a field was focused and how many characters were typed, but never the contents.

Anything inside the authenticated app (/app,/founders, /dashboard). Tracking is scoped to the public marketing surface only.

Cookies in plain English

What it does

Lifetime

Set when?

glx_vid

Stable visitor ID for dedup. Doesn’t carry analytics on its own.

365 days

Always (essential / legitimate interest under GDPR Art. 6(1)(f) for fraud + dedup)

glx_consent

Records your choice on the consent banner.

365 days

The moment you click Accept or Decline.

(analytics cookies)

Page-level analytics so we can see which pages help dealers find us. All data is anonymized aggregate — no PII linked to identity.

varies

By default, under GDPR Art. 6(1)(f) legitimate interest. Click Opt out on the banner to pause analytics; the rest of the site keeps working.

Your rights

You can ask us at any time to:

Tell you what we have on you (subject access request).

Delete what we have on you.

Export your data as JSON.

Withdraw consent for analytics — just decline the banner, or clear the glx_consent cookie.

Email privacy@gladiuscrm.com from the address on file. We aim to reply within 72 hours; the statutory ceiling is 30 days under GDPR.

Compliance posture

This doctrine satisfies:

FTSA / TCPA — we don’t buy phone-shadow IDs; calls and SMS only happen on opt-in demo-request data.

GDPR Art. 6(1)(f) (legitimate interest) for the essential glx_vid cookie and salted IP hash pre-consent.

GDPR Art. 6(1)(a) (consent) for analytics cookies. Default-decline; banner accept required.

CCPA — SAR playbook above; analytics are opt-in.

GLBA Safeguards — founder-portal auth gates all NPI; raw IP is not stored in tracking tables.