Privacy Policy

This Privacy Policy explains how Graybyte Private Limited ("Glymp", "we", "us", or "our"), acting as a Data Fiduciary, collects, uses, stores, discloses, and protects the personal data of Data Principals (you, the user) when you access or use our services ("Services").

• Visiting our website https://glymp.app
• Downloading and using the Glymp mobile application (User App or Business App)
• Discovering nearby products, stores, and services
• Posting content, reviews, or engaging with businesses
• Earning or redeeming Glymp Coins
• Engaging with us through marketing, promotions, or customer support

This policy is published in compliance with the Information Technology Act, 2000; the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"); the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021"); and the Digital Personal Data Protection Act, 2023 ("DPDP Act"), to the extent its provisions have come into force. In the event of any conflict between these frameworks, the DPDP Act shall prevail to the extent of such conflict.

If you do not agree with this Privacy Policy, please do not use our Services. For questions, contact us at support@glymp.app.

1. Information We Collect

2. How We Use Your Information

3. Cookies and Tracking Technologies

We use the following technologies:

You can manage cookie preferences through your browser settings. Disabling cookies may affect certain functionalities. On mobile, you can reset your advertising identifier or opt out of personalized ads through your device's privacy settings.

4. Third-Party Integrations and Data Sharing

We share data with the following categories of service providers, bound by contractual data protection obligations:

• Cloud Infrastructure — Hosting, storage, and content delivery (e.g., AWS, Google Cloud, Cloudflare)
• Analytics Providers — Usage analysis and crash reporting (e.g., Firebase Analytics, Cloudflare Web Analytics)
• Payment Gateways — Secure payment processing (e.g., Razorpay)
• Push Notification Services — Delivering notifications (e.g., Firebase Cloud Messaging)
• Media Processing — Image and video optimization (e.g., ImageKit)
• AI/ML Services — Powering search, recommendations, and content understanding
• Communication Tools — Email delivery and customer support

We may also share information:

• With law enforcement or government authorities when required by law or legal process
• During business transfers, mergers, or acquisitions
• With business partners for joint promotions (with your consent)
• With other users when you post content publicly
• To protect the rights, safety, and property of Glymp and its users

5. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

• Active account data — Retained for the duration of your account being active
• Post-deletion — Core account data is deleted within 90 days of account deletion request. Some data may be retained in anonymized form for analytics.
• Legal holds — Data may be retained longer if required for legal compliance, dispute resolution, or fraud prevention
• Backups — Encrypted backups are purged on a rolling 30-day cycle
• User-generated content — Publicly posted content (reviews, photos) is removed upon account deletion unless it has been reposted or referenced by others

Glymp Coins balances expire and are forfeited upon account termination.

6. Your Privacy Rights

Under the Indian IT Act, SPDI Rules, the DPDP Act 2023, and in alignment with global best practices, you (as a Data Principal) have the following rights:

• Right to Access — Request a summary of the personal data we hold about you and the purposes for which it is processed
• Right to Correction and Erasure — Update inaccurate personal information or request deletion of your personal data where it is no longer necessary for the stated purpose
• Right to Withdraw Consent — Withdraw previously given consent for data processing at any time; withdrawal does not affect lawfulness of prior processing
• Right to Data Portability — Request your data in a structured, commonly used format to facilitate transfer to another platform
• Right to Grievance Redressal — File a complaint with our Grievance Officer, with escalation rights to the Data Protection Board of India once constituted under the DPDP Act
• Right to Nominate — Under the DPDP Act 2023, you have the right to nominate another individual who may exercise your data rights in the event of your death or incapacity. Nomination requests can be submitted to our Grievance Officer.
• Right to Object — Object to processing of your personal data for direct marketing purposes, which will be honoured within 7 working days

To exercise your rights, use the in-app account settings or email us at support@glymp.app with subject line "Data Rights Request". We will verify your identity and respond within 30 calendar days.

7. Children and Minors

Glymp is rated 12+ on app stores.

• Children under 12: We do not knowingly collect personal information from children under the age of 12. If we become aware that a child under 12 has provided us with personal data, we will take steps to delete it promptly.
• Users aged 12–17: Minors between 12 and 17 may use Glymp with the consent and supervision of a parent or legal guardian. Parents/guardians assume responsibility for the minor's activity on the platform.
• Content filtering: We implement age-appropriate content moderation. Content flagged as mature, violent, or inappropriate is restricted from users under 18.
• No targeted advertising to minors: We do not serve behaviorally targeted advertisements to users identified as under 18.
• Limited data processing: For minor users, we limit data collection to what is essential for the service and do not process their data for profiling or marketing purposes.

If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact us at support@glymp.app.

8. Security Practices

We implement reasonable security practices and procedures as required under the SPDI Rules, including:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Secure authentication mechanisms (token-based, OTP verification)
• Role-based access controls for internal systems
• Regular security assessments and vulnerability testing
• Firewalls, intrusion detection, and DDoS protection
• Secure cloud infrastructure with SOC 2 compliant providers
• Employee training on data protection and privacy

While we strive to protect your personal information, no method of transmission or electronic storage is 100% secure. We cannot guarantee absolute security and encourage users to also take precautions (e.g., strong passwords, not sharing credentials).

9. Cross-Border Data Transfer

Your data is primarily stored on servers located in India. However, some of our service providers may process data in other jurisdictions (e.g., United States, European Union). In such cases:

• We ensure adequate data protection through contractual safeguards
• Service providers are bound by data processing agreements
• We comply with applicable Indian laws regarding data transfer
• Your data receives substantially similar protection regardless of where it is processed

10. Artificial Intelligence Features

Glymp uses AI-powered features to enhance your experience:

• AI-powered search and discovery
• Content recommendations and personalization
• Image recognition and content categorization
• Automated content moderation

Personal data processed through AI features is handled in accordance with this Privacy Policy. AI decisions are not used as the sole basis for actions with legal or significant effects on you.

11. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India (once constituted under the DPDP Act 2023) as required by applicable law and regulation.
• Notify affected Data Principals (users) promptly where the breach is likely to result in high risk to their rights or interests — we target notification within 72 hours of becoming aware of a qualifying breach, consistent with emerging regulatory guidance.
• Describe the nature of the breach, the categories and approximate volume of personal data affected, the likely consequences, and the measures taken or proposed to address the breach.
• Maintain an internal breach register and conduct post-incident reviews to prevent recurrence.

If you suspect your account or personal data has been compromised, contact us immediately at support@glymp.app. We will investigate and keep you informed of our findings.

12. Do-Not-Track Signals

We do not currently respond to Do-Not-Track (DNT) browser signals due to the absence of a uniform industry standard. We will update this policy if a standard is adopted.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• Material changes will be communicated via in-app notification or email
• The "Last updated" date at the top will be revised
• Continued use of the Services after changes constitutes acceptance
• We encourage you to periodically review this policy

14. Grievance Officer

In accordance with the Information Technology Act, 2000 and the IT Rules 2021, the details of our Grievance Officer are:

15. Contact Information