Glidepath
CountriesTransparencyCoverageSecurityPricing

Privacy policy

How Glidepath collects, uses, stores, and protects your information. The short version: we collect what we need to run your plan, your financial figures are encrypted and isolated to your account, the AI only ever sees de-identified numbers, we never sell your data, and you can delete your account from inside the product at any time.

Who we are

Glidepath is a retirement planning and education tool. This policy explains what we do with information when you create an account and build a plan. “We” and “Glidepath” refer to Endymion Labs LLC, the operator of the Glidepath service at glidepath.app.

What we collect

Account and identity. When you sign in, our authentication provider (Clerk) collects your email address, your name, and - if you use Google or Apple sign-in - the identity and email those providers return. Inside our own systems you are referenced only by a pseudonymous account id, never by your name. Sessions also record IP address and device/browser information for security.

Plan inputs. The financial information you enter - ages, dates, account types and balances, income, expenses, goals, and assumptions - to produce your projections.

Usage and diagnostics. Basic technical logs and error reports (via Sentry, hosted in the EU) needed to keep the service working and secure. Errors are attributed only to your pseudonymous account id, never to your name or financial figures. Optional product analytics are off by default and only start if you opt in from Settings. We use these events only to see which steps in the journey help people and where they get stuck, so we can improve them - never to advertise to you, build a profile, or sell data. PostHog processes a small set of manual events without user-supplied or product-data properties in the EU. Events use an ephemeral random id that is not linked to your account and resets when you opt out. We do not send PostHog your plan data, financial figures, name, email, page URLs, clicks, recordings, or free text. Session replay, heatmaps, and automatic event capture are disabled. You can opt out again at any time in Settings. We do not use advertising trackers.

How your data is protected

Two layers of encryption, by design. Your numeric plan figures are stored using envelope encryption: each value is encrypted with a data key that is itself encrypted (“wrapped”) by a master key held in a cloud KMS (AWS KMS), so the raw figures are never readable from the database alone.

The parts that could identify you - your real account and institution names - are encrypted in your browser (client-side) under a key derived from your passphrase before they are ever sent to us, and stored only as ciphertext (“identity_ct”). Our servers hold no copy of that key and can never read those names.

Every row is isolated to your account at the database level by row-level security keyed to your verified Clerk identity, so no other user can read your plan, and our services key every request off your authenticated identity rather than any value supplied in a request body. The database itself is a Railway-hosted Postgres in the EU.

How we use your information

To create, save, and display your plan; to authenticate you and secure your account; to generate AI explanations of your plan when you request them; to operate, debug, and improve the service; and to comply with legal obligations.

We do not sell your personal information, and we do not use your financial inputs to train any AI model.

AI processing of your plan

When you ask Glidepath to explain, summarize, or chat about your plan, the work is done on AWS Bedrock in the EU. We use Anthropic’s Claude Haiku 4.5 for chat, lifestyle profiles, and the short summary, and Claude Sonnet 4.6 for the full plan report - both via EU-resident Bedrock inference profiles, so AI processing stays in the EU.

Bedrock is called only from our engine (the single component with the AWS credentials), and only on de-identified numeric facts: a typed, numbers-only payload that structurally excludes your name, your account names, and any free-text notes. Before any request leaves our boundary it passes a strict de-identification allowlist gate, and the call is made through a Bedrock guardrail that blocks personal information (PII) and refuses anything identity-shaped. Your real account names - which are client-side encrypted - are never sent to the AI at all. AI output can be wrong; see the disclaimer.

Service providers (subprocessors)

We share information only with the providers needed to run Glidepath, each under their own data-protection terms:

Clerk (authentication and identity) · Railway (EU application hosting and Postgres database) · Cloudflare (edge network, DNS, security) · AWS (Bedrock for AI in the EU, and KMS for envelope-encryption keys) · Sentry (error monitoring, EU-hosted) · Resend (notification email delivery; sees your email address, never your financial data) · PostHog (optional, opt-in product analytics; EU-hosted and receives only manual events without user-supplied or product-data properties).

Data retention and deletion

We keep your account and plan data for as long as your account is active.

Deleting your account is a cryptographic erasure (crypto-shred). When you delete your account - from Settings → Delete account inside the product, or when Clerk tells us (via a user.deleted webhook) that your identity has been removed - we destroy the wrapped data key that protects your client-side-encrypted identity. Once that key is gone, your encrypted account and institution names are permanently unreadable, by anyone, including us. We also delete your numeric plan records, balances, and scenarios. Deletion is immediate and irreversible; we may retain minimal records only where a legal obligation or an unresolved dispute requires it.

Your rights

Depending on where you live (including under GDPR and CCPA/CPRA), you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can export your plan and delete your account directly from the product’s Settings at any time - deletion is the crypto-shred described above. To exercise any other right, contact us at the address below.

International transfers

Glidepath is operated with EU data residency: the database (Railway), AI processing (AWS Bedrock), error monitoring (Sentry), and optional product analytics (PostHog) all run in the EU. Where data is nonetheless processed in another country (for example, Clerk or Cloudflare operating globally), we rely on appropriate safeguards, such as standard contractual clauses, for those transfers.

Children

Glidepath is not directed to children and is not intended for anyone under 18. We do not knowingly collect personal information from children.

Changes and contact

We may update this policy as the product evolves; the version at this URL is the current one. Questions or privacy requests: [email protected].

Glidepath

See the real odds of retiring early: ten thousand futures, in plain language.

Product

Free estimateCountry guidesHow it worksWho it's forPricing

Trust and safety

TransparencyCountry coverageHow the math worksTax watchSecurity

Legal

PrivacyTermsDisclaimer
Copyright 2026 Endymion Labs LLC. Glidepath is a planning and education tool, not financial, tax, or legal advice. We are not a registered investment advisor.Questions? [email protected]