Glymp

Privacy Policy

Last updated — June 2026

This Privacy Policy explains how Graybyte Private Limited ("Glymp", "we", "us", or "our"), acting as a Data Fiduciary, collects, uses, stores, discloses, and protects the personal data of Data Principals (you, the user) when you access or use our services ("Services").

This policy is published in compliance with the Information Technology Act, 2000; the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"); the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021"); and the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 ("DPDP Act/Rules"), to the extent their provisions have come into force. In the event of any conflict between these frameworks, the DPDP Act/Rules shall prevail to the extent of such conflict.

If you do not agree with this Privacy Policy, please do not use our Services. For privacy questions, contact us at privacy@glymp.app.

Summary of Key Points

  • Glymp is available to users aged 13 and above. Users between 13 and 17 must confirm parental or guardian permission at registration. We do not knowingly collect data from anyone under 13.
  • We collect personal information you provide and some information automatically (device, location, usage).
  • We use your data to personalise discovery, show recommendations, and improve the platform.
  • We do not sell your personal data to third parties.
  • Analytics cookies (Google Analytics, Microsoft Clarity) are used on the website only with your consent.
  • We may share data with trusted service providers under contractual obligations.
  • You have rights to access, correct, delete, and port your data.
  • We implement reasonable security measures compliant with Indian IT law.

1. Information We Collect#

1.1 Personal Information You Provide

When you register, create a profile, or use our Services, we may collect:

  • Full name and display name
  • Email address
  • Phone number
  • Profile photo
  • Date of birth (for age verification — users under 13 are not permitted; users aged 13–17 must confirm parental or guardian permission at registration)
  • Gender (optional)
  • Delivery or billing address
  • Business details (for business accounts: store name, category, GST number, bank details)
  • Payment information (processed securely via third-party payment gateways)

1.2 User-Generated Content

When you interact with Glymp, we collect:

  • Photos and videos you post
  • Reviews, ratings, and comments
  • Collections you create or follow
  • Likes, saves, and engagement activity
  • Search queries and browsing history within the app

1.3 Device and Technical Information

We automatically collect:

  • Device type, model, operating system, and version
  • Unique device identifiers (device ID, advertising ID)
  • IP address
  • Browser type and version (for web access)
  • App version and build number
  • Network information (Wi-Fi, cellular)
  • Crash logs and diagnostic data

1.4 Location Data

As a hyperlocal discovery platform, location is central to our Services:

  • Precise location (GPS) — with your explicit device permission, used to show nearby stores, products, and services. We collect location only while you are actively using the app (foreground access); we do not collect location when the app is in the background unless you have separately granted always-on permission for a specific feature.
  • Approximate location — derived from IP address or network data for the website
  • Saved locations — locations you manually save or set as preferred areas
  • We do not share your individual, identifiable location with businesses. Businesses may access aggregated, anonymised footfall analytics that do not identify individual users.

You can disable location access through your device settings at any time. Disabling location may limit the accuracy of discovery features.

1.5 Behavioural and Usage Data

We collect data about how you interact with the platform:

  • Pages and screens viewed
  • Time spent on content
  • Tap and scroll patterns
  • Feature usage frequency
  • Referral sources (how you found us)
  • Glymp Coins earned, redeemed, and balance

1.6 Sensitive Personal Data

Certain information we collect for business accounts — specifically bank account details provided for payout purposes — may constitute Sensitive Personal Data or Information (SPDI) under the SPDI Rules. We handle such information with the following safeguards:

  • Bank account details provided by business users are collected solely for enabling payouts and financial settlements and are processed in encrypted form.
  • We do not store full payment card details on our servers. Card payments are processed directly by PCI-DSS compliant third-party gateways (e.g., Razorpay).
  • We do not intentionally collect other categories of SPDI, including health data, biometric data, sexual orientation, political opinions, or religious beliefs.
  • Passwords are stored in salted, hashed form and are never accessible in plaintext by Glymp personnel.
  • We obtain explicit consent before collecting any SPDI and restrict access to such data to authorised personnel only.

2. How We Use Your Information#

2.1 Core Service Delivery

  • Create and manage your account
  • Enable hyperlocal discovery of stores, products, and services
  • Process and display your content (posts, reviews, photos, videos)
  • Facilitate follows, likes, and social interactions
  • Manage Glymp Coins rewards programme

2.2 Personalisation and Recommendations

  • Show relevant stores and products based on your location and interests
  • Personalise your feed and discovery experience
  • Recommend collections and businesses you may like
  • Tailor search results and suggestions

2.3 Communication

  • Send push notifications (offers, updates, activity alerts) — with your consent
  • Respond to your enquiries and support requests
  • Send transactional emails (account verification, password reset)
  • Marketing communications — only with your explicit consent; you may opt out at any time

2.4 Safety and Security

  • Detect and prevent fraud, spam, and abuse
  • Enforce our Terms and Conditions and Community Guidelines
  • Monitor for security threats
  • Comply with legal obligations

2.5 Analytics and Improvement

  • Understand usage trends and patterns
  • Improve app and website performance and features
  • Conduct research and development
  • Debug technical issues
  • Website analytics (Google Analytics, Microsoft Clarity) — only with your cookie consent

3. Cookies and Tracking Technologies#

The Glymp website uses the following cookie categories. You can manage your preferences via the cookie banner shown on your first visit or by contacting us.

TechnologyPurpose
Essential cookiesAuthentication, session management, theme preference, location selector. Always active — cannot be disabled.
Analytics cookies (opt-in)Google Analytics and Microsoft Clarity — used to understand page visits, navigation patterns, and site performance. Loaded only with your consent.
Functional cookiesRemembering preferences and location settings across visits.
Local storageCaching user preferences and location data on-device.

No advertising cookies are used on the Glymp website. The website is purely informational. You can change your analytics cookie preference at any time by clearing your browser storage or contacting us. On the mobile app, you can reset your advertising identifier or opt out of personalised ads through your device's privacy settings.

4. Third-Party Integrations and Data Sharing#

We share data with the following categories of service providers, bound by contractual data protection obligations. We do not sell your personal data.

  • Cloud infrastructure — Hosting, storage, and content delivery (AWS / Google Cloud / Cloudflare, India and US regions)
  • Website analytics — Google Analytics (USA) and Microsoft Clarity (USA) — only with your cookie consent
  • Payment gateways — Secure payment processing (Razorpay, India)
  • Push notification services — Firebase Cloud Messaging (Google, USA)
  • Media processing — Image and video optimisation (ImageKit, India)
  • AI/ML services — Search, recommendations, and content categorisation. We do not share your personal data with AI providers for the purpose of training their public models without your explicit consent.
  • Communication tools — Email delivery and customer support

We may also share information:

  • With law enforcement or government authorities when required by law or valid legal process
  • During business transfers, mergers, or acquisitions (you will be notified)
  • With other users when you post content publicly (your public profile and posts)
  • To protect the rights, safety, and property of Glymp and its users

5. Data Retention#

We retain your personal data only as long as necessary for the purposes described in this policy. The schedule below sets out our standard retention periods.

Data CategoryRetention Period
Account profile dataDuration of account + 30 days after deletion request
User-generated content (posts, reviews, photos)Duration of account; deleted within 30 days of account deletion
Location history (session-level)30 days rolling
Device and usage analytics12 months rolling
Transaction and payment records7 years (as required by GST/Income Tax law)
Communications with support team2 years from last interaction
Grievance and complaint records180 days from resolution date
Business payout / bank detailsDuration of business account + 90 days
Encrypted backupsPurged on a rolling 30-day cycle

Data may be retained beyond these periods only where required for legal compliance, active dispute resolution, or fraud prevention. Anonymised, aggregated data (which cannot identify you) may be retained indefinitely for analytics. Glymp Coins balances are forfeited upon account termination.

6. Your Privacy Rights#

Under the DPDP Act 2023, the DPDP Rules 2025, the IT Act 2000, and the SPDI Rules, you (as a Data Principal) have the following rights:

  • Right to Access — Request a summary of the personal data we hold about you and the purposes for which it is processed.
  • Right to Correction and Erasure — Update inaccurate personal information or request deletion of your personal data where it is no longer necessary for the stated purpose.
  • Right to Withdraw Consent — Withdraw previously given consent for data processing at any time; withdrawal does not affect lawfulness of prior processing.
  • Right to Data Portability — Request your data in a structured, commonly used format.
  • Right to Grievance Redressal — File a complaint with our Grievance Officer, with escalation rights to the Data Protection Board of India (once constituted).
  • Right to Nominate — Under the DPDP Act 2023, you may nominate another individual to exercise your data rights in the event of your death or incapacity. Submit nomination requests to our Grievance Officer.
  • Right to Object — Object to processing of your personal data for direct marketing purposes, honoured within 7 working days.

To exercise your rights, visit our Data Management page at https://glymp.app/data-management or email privacy@glymp.app with the subject line "Data Rights Request". We will verify your identity and respond within 30 calendar days.

7. Age and Parental Consent#

Glymp is available to users aged 13 and above. We process personal data of users under 18 as follows:

  • Users aged 13–17: At the time of registration, users in this age group are shown a confirmation screen stating that they require a parent or guardian's permission to use the Services. By proceeding, they confirm that such permission has been granted. We record this confirmation along with a timestamp in our consent log.
  • We do not knowingly collect personal data from any person under 13 years of age. If we become aware that a user is under 13, we will immediately terminate the account and delete all associated personal data.
  • Business accounts may only be created by individuals who are at least 18 years of age and have the legal authority to represent the business.
  • If you are a parent or guardian and believe your child is using Glymp without your permission, or that a child under 13 has created an account, please contact us immediately at privacy@glymp.app and we will act without delay.
  • We do not serve any targeted advertising to users and have no mechanisms for profiling. All data minimisation and purpose limitation requirements under the DPDP Act apply fully to our platform.

Glymp is rated 12+ on the Apple App Store and Teen on Google Play.

8. Security Practices#

We implement reasonable security practices and procedures as required under the SPDI Rules, including:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Secure authentication mechanisms (token-based, OTP verification)
  • Role-based access controls for internal systems
  • Regular security assessments and vulnerability testing
  • Firewalls, intrusion detection, and DDoS protection
  • Secure cloud infrastructure with SOC 2 compliant providers
  • Employee training on data protection and privacy

While we strive to protect your personal information, no method of transmission or electronic storage is 100% secure. We encourage users to use strong passwords and not share credentials.

9. Cross-Border Data Transfer#

Your data is primarily stored on servers located in India. Some service providers may process data in other jurisdictions:

  • United States — Google (Analytics, Firebase, Cloud), Microsoft (Clarity), Cloudflare (CDN, analytics)
  • We ensure adequate data protection through contractual Data Processing Agreements (DPAs) with each provider.
  • Service providers are contractually bound to process data only for the stated purpose and to implement security safeguards equivalent to those described in this policy.
  • We will update this section promptly if the Central Government issues any direction under the DPDP Act restricting data transfer to specific countries, and will take immediate steps to comply.

10. Artificial Intelligence Features#

Glymp uses AI-powered features to enhance your experience:

  • AI-powered search and discovery — matching your location and interests to relevant businesses
  • Content recommendations and personalisation
  • Image recognition and content categorisation
  • Automated content moderation (human review available on request — see Grievance Policy)

Personal data processed through AI features is handled in accordance with this Privacy Policy. We do not share your personal data with AI providers for the purpose of training their public models. AI decisions are not used as the sole basis for actions with significant effects on you; where automated moderation affects your account, you may request human review through the Grievance process.

11. Data Breach Notification#

In the event of a personal data breach, we will:

  • Notify the Data Protection Board of India (once constituted under the DPDP Act 2023) as required by applicable law and regulation.
  • Notify affected Data Principals promptly where the breach is likely to result in high risk to their rights or interests — we target notification within 72 hours of becoming aware of a qualifying breach.
  • Describe the nature of the breach, categories and approximate volume of personal data affected, likely consequences, and measures taken or proposed.
  • Maintain an internal breach register and conduct post-incident reviews to prevent recurrence.

If you suspect your account or personal data has been compromised, contact us immediately at privacy@glymp.app.

12. Do-Not-Track Signals#

We do not currently respond to Do-Not-Track (DNT) browser signals due to the absence of a uniform industry standard. We rely instead on the cookie consent mechanism described above. We will update this policy if a standard is adopted.

13. Changes to This Policy#

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

  • Material changes will be communicated via in-app notification or email at least 7 days before they take effect.
  • The "Last updated" date at the top will be revised.
  • Continued use of the Services after changes constitutes acceptance of the revised Policy.
  • We encourage you to review this policy periodically.

14. Grievance Officer#

In accordance with the Information Technology Act, 2000, the IT Rules 2021, and the DPDP Act 2023, the details of our Grievance Officer are:

Name: Khushal Paliwal

Designation: Director

Email: khushal@glymp.app

Address: 6th floor, Lightbridge, Hiranandani Business Park, Saki Vihar Rd, Tunga Village, Chandivali, Powai, Mumbai, Maharashtra 400072

Complaints will be acknowledged within 24 hours and resolved within 15 days.

15. Contact Information#

Graybyte Private Limited

6th floor, Lightbridge, Hiranandani Business Park, Saki Vihar Rd, Tunga Village, Chandivali, Powai, Mumbai, Maharashtra 400072

General Support: support@glymp.app

Privacy & Data Rights: privacy@glymp.app

Legal Notices: legal@glymp.app

Grievance Officer: khushal@glymp.app

Document version: 2026-06-10-1