Glean · Glean Privacy Policy

Employer-as-Controller Structure

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

When your employer uses Glean, your company controls your data — not Glean. Any requests to access, correct, or delete your personal information must go through your employer.

Consumer impact (what this means for users)

Employees who use Glean through work cannot directly request their data or ask Glean to delete it; they must go through their employer, creating a practical barrier to exercising data privacy rights.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Within 30 days
    Contact your employer's HR, IT, or data privacy team and request that they submit a data deletion or access request to Glean on your behalf. Glean will process the request upon instruction from your employer as the data controller.

Cross-platform context

See how other platforms handle Employer-as-Controller Structure and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This structure means individual employees cannot directly enforce their data rights against Glean — they are dependent on their employer to act on their behalf, which may delay or limit their ability to exercise GDPR or CCPA rights.

View original clause language
When Glean provides services to a business customer, Glean acts as a data processor on behalf of that customer, who is the data controller. In these cases, the customer's privacy policy and data practices govern the collection and use of personal data, and individuals should refer to the customer's privacy policy for information about how their personal data is handled. If you are an employee or user of one of our customers and have questions about your personal data, please contact your employer or the relevant customer directly.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision directly engages GDPR Article 28 (processor obligations and mandatory DPA requirements), Articles 13 and 14 (transparency obligations borne by the controller/employer), and Article 4(7)/(8) definitions of controller and processor. Under CCPA/CPRA §1798.140, Glean's service provider designation means consumers cannot assert CCPA rights directly against Glean. The ICO (UK) and EU data protection authorities (lead authority likely the Irish DPC given Glean's EU operations) hold enforcement jurisdiction.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    FTC Act Section 5 applies to deceptive or unfair data practices; the service provider structure and employee notice adequacy fall within FTC consumer protection jurisdiction.
    File a complaint →

Provision details

Document information
Document
Glean Privacy Policy
Entity
Glean
Document last updated
April 29, 2026
Tracking information
First tracked
April 30, 2026
Last verified
April 30, 2026
Record ID
CA-P-004382
Document ID
CA-D-00505
Evidence Provenance
Source URL
https://www.glean.com/privacy-policy
Wayback Machine
View archived versions →
SHA-256
bf35161360eff21ce3dcd83598198afb291214ea440a7d5ff199884f65aef203
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Glean | Document: Glean Privacy Policy | Record: CA-P-004382
Captured: 2026-04-30 09:15:11 UTC | SHA-256: bf35161360eff21c…
URL: https://conductatlas.com/platform/glean/glean-privacy-policy/employer-as-controller-structure/
Accessed: May 2, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document