Privacy Policy
Last updated — June 2026
On this page
This Privacy Policy explains how Graybyte Private Limited ("Glymp", "we", "us", or "our"), acting as a Data Fiduciary, collects, uses, stores, discloses, and protects the personal data of Data Principals (you, the user) when you access or use our services ("Services").
- Visiting our website https://glymp.app
- Downloading and using the Glymp User App
- Downloading and using the Glymp Business App
- Discovering nearby products, stores, and services
- Posting content, reviews, or engaging with businesses
- Earning or redeeming Glymp Coins
- Engaging with us through marketing, promotions, or customer support
This policy is published in compliance with the Information Technology Act, 2000; the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"); the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021"); and the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 ("DPDP Act/Rules"), to the extent their provisions have come into force. In the event of any conflict between these frameworks, the DPDP Act/Rules shall prevail to the extent of such conflict.
If you do not agree with this Privacy Policy, please do not use our Services. For privacy questions, contact us at privacy@glymp.app.
Summary of Key Points
- ✓ Glymp is available to users aged 13 and above. Users between 13 and 17 must confirm parental or guardian permission at registration. We do not knowingly collect data from anyone under 13.
- ✓ We collect personal information you provide and some information automatically (device, location, usage).
- ✓ We use your data to personalise discovery, show recommendations, and improve the platform.
- ✓ We do not sell your personal data to third parties.
- ✓ Analytics cookies (Google Analytics, Microsoft Clarity) are used on the website only with your consent.
- ✓ We may share data with trusted service providers under contractual obligations.
- ✓ You have rights to access, correct, delete, and port your data.
- ✓ We implement reasonable security measures compliant with Indian IT law.
A. Legal Basis for Processing#
Under the DPDP Act 2023, we process your personal data only where we have a lawful basis. The table below summarises our main processing activities and their legal basis.
| Processing Activity | Legal Basis | Can You Opt Out? |
|---|---|---|
| Account creation and management | Performance of contract | No — required to use the service |
| Hyperlocal discovery (showing nearby stores) | Performance of contract | No — core feature |
| Location-based features | Consent (device permission) | Yes — via device settings |
| Push notifications | Consent | Yes — via app or device settings |
| Marketing communications (email/SMS) | Consent | Yes — unsubscribe link or email us |
| Analytics (website) | Consent (cookie banner) | Yes — via cookie preferences |
| Fraud detection and security | Legitimate interest | No — necessary for platform safety |
| Legal compliance | Legal obligation | No |
| Glymp Coins rewards programme | Performance of contract | Yes — by not participating |
Where processing is based on consent, you may withdraw it at any time by contacting us at privacy@glymp.app. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
1. Information We Collect#
1.1 Personal Information You Provide
When you register, create a profile, or use our Services, we may collect:
- Full name and display name
- Email address
- Phone number
- Profile photo
- Date of birth (for age verification — users under 13 are not permitted; users aged 13–17 must confirm parental or guardian permission at registration)
- Gender (optional)
- Delivery or billing address
- Business details (for business accounts: store name, category, GST number, bank details)
- Payment information (processed securely via third-party payment gateways)
1.2 User-Generated Content
When you interact with Glymp, we collect:
- Photos and videos you post
- Reviews, ratings, and comments
- Collections you create or follow
- Likes, saves, and engagement activity
- Search queries and browsing history within the app
1.3 Device and Technical Information
We automatically collect:
- Device type, model, operating system, and version
- Unique device identifiers (device ID, advertising ID)
- IP address
- Browser type and version (for web access)
- App version and build number
- Network information (Wi-Fi, cellular)
- Crash logs and diagnostic data
1.4 Location Data
As a hyperlocal discovery platform, location is central to our Services:
- Precise location (GPS) — with your explicit device permission, used to show nearby stores, products, and services. We collect location only while you are actively using the app (foreground access); we do not collect location when the app is in the background unless you have separately granted always-on permission for a specific feature.
- Approximate location — derived from IP address or network data for the website
- Saved locations — locations you manually save or set as preferred areas
- We do not share your individual, identifiable location with businesses. Businesses may access aggregated, anonymised footfall analytics that do not identify individual users.
You can disable location access through your device settings at any time. Disabling location may limit the accuracy of discovery features.
1.5 Behavioural and Usage Data
We collect data about how you interact with the platform:
- Pages and screens viewed
- Time spent on content
- Tap and scroll patterns
- Feature usage frequency
- Referral sources (how you found us)
- Glymp Coins earned, redeemed, and balance
1.6 Sensitive Personal Data
Certain information we collect for business accounts — specifically bank account details provided for payout purposes — may constitute Sensitive Personal Data or Information (SPDI) under the SPDI Rules. We handle such information with the following safeguards:
- Bank account details provided by business users are collected solely for enabling payouts and financial settlements and are processed in encrypted form.
- We do not store full payment card details on our servers. Card payments are processed directly by PCI-DSS compliant third-party gateways (e.g., Razorpay).
- We do not intentionally collect other categories of SPDI, including health data, biometric data, sexual orientation, political opinions, or religious beliefs.
- Passwords are stored in salted, hashed form and are never accessible in plaintext by Glymp personnel.
- We obtain explicit consent before collecting any SPDI and restrict access to such data to authorised personnel only.
2. How We Use Your Information#
2.1 Core Service Delivery
- Create and manage your account
- Enable hyperlocal discovery of stores, products, and services
- Process and display your content (posts, reviews, photos, videos)
- Facilitate follows, likes, and social interactions
- Manage Glymp Coins rewards programme
2.2 Personalisation and Recommendations
- Show relevant stores and products based on your location and interests
- Personalise your feed and discovery experience
- Recommend collections and businesses you may like
- Tailor search results and suggestions
2.3 Communication
- Send push notifications (offers, updates, activity alerts) — with your consent
- Respond to your enquiries and support requests
- Send transactional emails (account verification, password reset)
- Marketing communications — only with your explicit consent; you may opt out at any time
2.4 Safety and Security
- Detect and prevent fraud, spam, and abuse
- Enforce our Terms and Conditions and Community Guidelines
- Monitor for security threats
- Comply with legal obligations
2.5 Analytics and Improvement
- Understand usage trends and patterns
- Improve app and website performance and features
- Conduct research and development
- Debug technical issues
- Website analytics (Google Analytics, Microsoft Clarity) — only with your cookie consent
5. Data Retention#
We retain your personal data only as long as necessary for the purposes described in this policy. The schedule below sets out our standard retention periods.
| Data Category | Retention Period |
|---|---|
| Account profile data | Duration of account + 30 days after deletion request |
| User-generated content (posts, reviews, photos) | Duration of account; deleted within 30 days of account deletion |
| Location history (session-level) | 30 days rolling |
| Device and usage analytics | 12 months rolling |
| Transaction and payment records | 7 years (as required by GST/Income Tax law) |
| Communications with support team | 2 years from last interaction |
| Grievance and complaint records | 180 days from resolution date |
| Business payout / bank details | Duration of business account + 90 days |
| Encrypted backups | Purged on a rolling 30-day cycle |
Data may be retained beyond these periods only where required for legal compliance, active dispute resolution, or fraud prevention. Anonymised, aggregated data (which cannot identify you) may be retained indefinitely for analytics. Glymp Coins balances are forfeited upon account termination.
6. Your Privacy Rights#
Under the DPDP Act 2023, the DPDP Rules 2025, the IT Act 2000, and the SPDI Rules, you (as a Data Principal) have the following rights:
- Right to Access — Request a summary of the personal data we hold about you and the purposes for which it is processed.
- Right to Correction and Erasure — Update inaccurate personal information or request deletion of your personal data where it is no longer necessary for the stated purpose.
- Right to Withdraw Consent — Withdraw previously given consent for data processing at any time; withdrawal does not affect lawfulness of prior processing.
- Right to Data Portability — Request your data in a structured, commonly used format.
- Right to Grievance Redressal — File a complaint with our Grievance Officer, with escalation rights to the Data Protection Board of India (once constituted).
- Right to Nominate — Under the DPDP Act 2023, you may nominate another individual to exercise your data rights in the event of your death or incapacity. Submit nomination requests to our Grievance Officer.
- Right to Object — Object to processing of your personal data for direct marketing purposes, honoured within 7 working days.
To exercise your rights, visit our Data Management page at https://glymp.app/data-management or email privacy@glymp.app with the subject line "Data Rights Request". We will verify your identity and respond within 30 calendar days.
7. Age and Parental Consent#
Glymp is available to users aged 13 and above. We process personal data of users under 18 as follows:
- Users aged 13–17: At the time of registration, users in this age group are shown a confirmation screen stating that they require a parent or guardian's permission to use the Services. By proceeding, they confirm that such permission has been granted. We record this confirmation along with a timestamp in our consent log.
- We do not knowingly collect personal data from any person under 13 years of age. If we become aware that a user is under 13, we will immediately terminate the account and delete all associated personal data.
- Business accounts may only be created by individuals who are at least 18 years of age and have the legal authority to represent the business.
- If you are a parent or guardian and believe your child is using Glymp without your permission, or that a child under 13 has created an account, please contact us immediately at privacy@glymp.app and we will act without delay.
- We do not serve any targeted advertising to users and have no mechanisms for profiling. All data minimisation and purpose limitation requirements under the DPDP Act apply fully to our platform.
Glymp is rated 12+ on the Apple App Store and Teen on Google Play.
8. Security Practices#
We implement reasonable security practices and procedures as required under the SPDI Rules, including:
- Encryption of data in transit (TLS/SSL) and at rest (AES-256)
- Secure authentication mechanisms (token-based, OTP verification)
- Role-based access controls for internal systems
- Regular security assessments and vulnerability testing
- Firewalls, intrusion detection, and DDoS protection
- Secure cloud infrastructure with SOC 2 compliant providers
- Employee training on data protection and privacy
While we strive to protect your personal information, no method of transmission or electronic storage is 100% secure. We encourage users to use strong passwords and not share credentials.
9. Cross-Border Data Transfer#
Your data is primarily stored on servers located in India. Some service providers may process data in other jurisdictions:
- United States — Google (Analytics, Firebase, Cloud), Microsoft (Clarity), Cloudflare (CDN, analytics)
- We ensure adequate data protection through contractual Data Processing Agreements (DPAs) with each provider.
- Service providers are contractually bound to process data only for the stated purpose and to implement security safeguards equivalent to those described in this policy.
- We will update this section promptly if the Central Government issues any direction under the DPDP Act restricting data transfer to specific countries, and will take immediate steps to comply.
10. Artificial Intelligence Features#
Glymp uses AI-powered features to enhance your experience:
- AI-powered search and discovery — matching your location and interests to relevant businesses
- Content recommendations and personalisation
- Image recognition and content categorisation
- Automated content moderation (human review available on request — see Grievance Policy)
Personal data processed through AI features is handled in accordance with this Privacy Policy. We do not share your personal data with AI providers for the purpose of training their public models. AI decisions are not used as the sole basis for actions with significant effects on you; where automated moderation affects your account, you may request human review through the Grievance process.
11. Data Breach Notification#
In the event of a personal data breach, we will:
- Notify the Data Protection Board of India (once constituted under the DPDP Act 2023) as required by applicable law and regulation.
- Notify affected Data Principals promptly where the breach is likely to result in high risk to their rights or interests — we target notification within 72 hours of becoming aware of a qualifying breach.
- Describe the nature of the breach, categories and approximate volume of personal data affected, likely consequences, and measures taken or proposed.
- Maintain an internal breach register and conduct post-incident reviews to prevent recurrence.
If you suspect your account or personal data has been compromised, contact us immediately at privacy@glymp.app.
12. Do-Not-Track Signals#
We do not currently respond to Do-Not-Track (DNT) browser signals due to the absence of a uniform industry standard. We rely instead on the cookie consent mechanism described above. We will update this policy if a standard is adopted.
13. Changes to This Policy#
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.
- Material changes will be communicated via in-app notification or email at least 7 days before they take effect.
- The "Last updated" date at the top will be revised.
- Continued use of the Services after changes constitutes acceptance of the revised Policy.
- We encourage you to review this policy periodically.
14. Grievance Officer#
In accordance with the Information Technology Act, 2000, the IT Rules 2021, and the DPDP Act 2023, the details of our Grievance Officer are:
Name: Khushal Paliwal
Designation: Director
Email: khushal@glymp.app
Address: 6th floor, Lightbridge, Hiranandani Business Park, Saki Vihar Rd, Tunga Village, Chandivali, Powai, Mumbai, Maharashtra 400072
Complaints will be acknowledged within 24 hours and resolved within 15 days.
15. Contact Information#
Graybyte Private Limited
6th floor, Lightbridge, Hiranandani Business Park, Saki Vihar Rd, Tunga Village, Chandivali, Powai, Mumbai, Maharashtra 400072
General Support: support@glymp.app
Privacy & Data Rights: privacy@glymp.app
Legal Notices: legal@glymp.app
Grievance Officer: khushal@glymp.app
Document version: 2026-06-10-1