Glofy LLC — Last updated: May 2026
Glofy LLC (“Glofy,” “we,” “us,” or “our”) is a company incorporated in Delaware, United States, providing staff augmentation services and specialized talent solutions at an international level.
Our commitment to privacy and the protection of personal data is a core part of how we operate. For specific privacy inquiries or to exercise data protection rights, please contact us at: privacy@glofy.co.
Where required by applicable law, and in compliance with Article 27 of the General Data Protection Regulation (GDPR), Glofy will designate a representative in the European Union and the United Kingdom.
Glofy has submitted a self-certification application to participate in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, administered by the U.S. Department of Commerce, for the handling of personal data transferred from the European Union and the United Kingdom for commercial purposes (e.g., information about clients, prospects, or candidates). Glofy’s participation will be confirmed upon finalization of its self-certification by the U.S. Department of Commerce.
Glofy expressly commits to comply with the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, to the extent applicable to the personal data it processes. This commitment is public and enforceable under U.S. law.
Glofy does not process or transfer human resources data (HR Data) under the DPF. Its staffing and service delivery operations are conducted exclusively in Latin America; therefore, employee and contractor data is not transferred from jurisdictions covered by the DPF. Should this change in the future, this Policy will be updated accordingly.
This Privacy Policy sets out the principles and practices Glofy applies to the personal information it receives and manages. It applies to:
Candidates participating in selection processes managed by Glofy.
Clients and prospects with whom we maintain commercial or collaborative relationships.
Visitors to our website and users of our digital platforms.
This Policy does not apply to the processing of personal data of Glofy’s collaborators or contractors residing in Latin America (HR Data), which is governed by internal Human Resources policies and falls outside the scope of the DPF.
In the course of our activities, we may collect, store, and process the following categories of personal data:
Identity and contact information: name, email address, phone number, country of residence or operations.
Professional data: résumés, work history, job title, role in the assignment, performance evaluations, and other information related to selection processes or contractual relationships.
Billing and payment data: payment accounts, banking and tax information, where applicable.
Technical data: IP addresses, cookies, access logs, and other information related to the use of our websites and digital platforms.
Client-provided data: information strictly necessary for our collaborators to fulfill their assignments.
In all cases, Glofy commits to collecting only information that is adequate, relevant, and limited to what is necessary for the purposes described.
Personal data is used exclusively for legitimate, pre-determined purposes, including:
Recruitment and hiring: profile analysis, interviews, and administration of recruitment processes.
Client assignment management: project management, task coordination, and fulfillment of contractual responsibilities.
Commercial communication and support: sending relevant information, handling inquiries, and providing support to clients, prospects, and collaborators.
Compliance with legal and contractual obligations: record-keeping, billing, tax compliance, and regulatory reporting.
Security, audit, and fraud prevention: implementing controls to protect Glofy, its clients, and collaborators against security risks.
Each purpose is managed under the principle of data minimization.
Our processing of personal data is based on the following legal grounds:
Consent: where the data subject gives explicit authorization for a specific purpose.
Performance of a contract: where processing is necessary to fulfill a contract with the data subject or a client.
Legal obligation: where we must process or retain certain data to comply with tax, labor, or regulatory requirements.
Legitimate interest: where processing serves Glofy’s own purposes and does not override the data subject’s fundamental rights.
Glofy collaborators: have access only to Glofy’s internal assets necessary for the management of their contractual relationship.
Glofy clients: each client retains primary responsibility for access management, controls, and information security measures within their own systems and platforms. Glofy does not intervene in the definition or administration of those internal measures.
Security collaboration: while Glofy does not administer client security measures, we promote best practices and collaborate with clients on awareness, audit, or compliance initiatives when required within the scope of the assignment.
Glofy uses cookies and similar technologies (such as pixels, tags, and scripts) to improve the browsing experience, analyze platform usage, and deliver personalized content and communications.
The cookies we use may be classified as:
Strictly necessary cookies: enable the basic functioning of the website and secure platform access. These cannot be disabled.
Performance and analytics cookies: collect information on how users interact with our site to help us improve its performance and usability.
Functionality cookies: allow the site to remember preferences (language, region, session) for a personalized experience.
Third-party cookies: external services such as Google Analytics, LinkedIn, or YouTube may install their own cookies for their specific purposes.
Users may accept or reject cookies by adjusting their browser settings. Note that disabling certain cookies may affect website functionality. For more information, visit www.allaboutcookies.org.
We may share personal data with:
Glofy clients, solely for assignment purposes.
Service providers (IT, payroll, recruitment, cloud).
Public authorities, when required by law.
In connection with a merger, acquisition, or corporate restructuring.
International transfers under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF are limited to commercial data not related to human resources (clients, prospects, candidates). For such transfers, we implement the following safeguards:
Participation in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.
Standard Contractual Clauses (SCCs) approved by the European Commission and the ICO in the United Kingdom, where applicable.
Commitment to transparency toward data subjects in the event of transfers to jurisdictions with a lower level of protection.
When Glofy transfers personal data to third parties acting as controllers, it ensures that those third parties process data only for limited and specified purposes consistent with the consent provided by the data subject, and that they offer a level of protection equivalent to that required by the EU-U.S. DPF Principles and the UK Extension to the EU-U.S. DPF. Should a third party be unable to maintain that level of protection, Glofy will cease the transfer and take appropriate corrective action. Glofy assumes liability for the processing carried out by its agents or subprocessors on Glofy’s behalf, unless Glofy demonstrates it was not responsible for the event giving rise to the damage.
Glofy applies reasonable technical, organizational, and administrative measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:
Role-based internal access controls.
Encryption protocols and secure storage.
Audit and periodic review procedures.
While our practices are aligned with international security standards (with ISO/IEC 27001 as a reference), no digital transmission or storage system can guarantee 100% security.
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law. Examples:
Non-hired candidates: up to 5 years after the selection process, unless consent is given to retain data for longer.
Current and former collaborators: in accordance with applicable tax, labor, and contractual obligations.
Clients and prospects: for the duration of the commercial relationship or while a legitimate interest exists, with the option to object at any time.
Upon expiration of the applicable retention period, data will be securely deleted or anonymized.
Glofy recognizes and respects individuals’ rights over their personal data. Depending on applicable law (GDPR, CCPA, and others), data subjects may exercise the following rights:
Access: to know what data we hold and how we process it.
Rectification: to request correction of inaccurate or incomplete data.
Erasure (“right to be forgotten”): to request deletion of data when it is no longer necessary.
Restriction of processing: to temporarily limit how data is used in certain circumstances.
Data portability: to receive data in a structured format for transfer to another controller.
Objection: to opt out of certain types of processing, such as direct marketing.
Requests should be sent to privacy@glofy.co and will be addressed within 45 business days of receipt, in accordance with EU-U.S. DPF and UK Extension requirements and applicable law.
Data subjects also have the right to lodge a complaint with the data protection authority of their jurisdiction.
Our services, selection processes, and digital platforms are not designed for or directed at children under the age of 13 (or 16 in the European Union and other jurisdictions where local law requires a higher age threshold).
We do not intentionally collect personal information from minors. If we become aware that we have received data from a minor without proper authorization, we will promptly take the necessary steps to delete it securely.
If a parent or guardian believes a minor in their care has provided us with personal data, they may contact us at privacy@glofy.co.
This Privacy Policy may be updated to reflect changes in our internal practices, applicable legal or regulatory requirements, or technological developments affecting data processing.
When significant changes affecting data subjects’ rights are introduced, these will be communicated prominently on our website and, where appropriate, via direct notification to collaborators, clients, or candidates.
Glofy is committed to addressing all privacy-related requests, inquiries, and concerns in a clear, timely, and responsible manner.
Data subjects may contact us at: privacy@glofy.co.
Where required by international law (e.g., Article 27 of the GDPR), Glofy will designate representatives in the European Union, the United Kingdom, or other applicable jurisdictions.
Glofy is subject to the jurisdiction of the U.S. Federal Trade Commission (FTC) with respect to its compliance with the EU-U.S. DPF Principles and the UK Extension to the EU-U.S. DPF. The FTC is the competent enforcement authority over Glofy’s obligations under the DPF program.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Glofy offers the following mechanisms for handling complaints:
Direct contact: data subjects may submit a complaint directly to Glofy at privacy@glofy.co. Glofy will respond within 45 business days of receiving the complaint.
Independent Recourse Mechanism (IRM): Glofy has designated JAMS as its independent dispute resolution provider for complaints relating to commercial data transferred from the European Union or the United Kingdom to the United States under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. This service is provided at no cost to the individual.
Submit a complaint to JAMS: https://www.jamsadr.com/submit/
DPF program website: https://www.dataprivacyframework.gov
Binding arbitration: as a last resort, and once other recourse mechanisms have been exhausted, data subjects whose data has been transferred under the EU-U.S. DPF or the UK Extension to the EU-U.S. DPF have the right to invoke binding arbitration pursuant to Annex I of the DPF Principles, at no cost to the individual.
Glofy cooperates with the data protection authorities of the European Union and the United Kingdom with respect to the processing of non-HR commercial data transferred under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
Glofy is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to its compliance with the EU-U.S. DPF Principles and the UK Extension to the EU-U.S. DPF. Non-compliance with the Principles may constitute an unfair or deceptive act or practice under Section 5 of the FTC Act.
