Last updated: April 25, 2026
Privacy Policy
Glowyugis built in India for Indian users. We follow the principles of India’s Digital Personal Data Protection Act, 2023(DPDP). This page is the plain-English version — one read, nothing buried.
The short version
- We collect only what we need to deliver your personalized plan.
- We never sell your data.
- We never see your card or UPI details — Razorpay handles payments.
- You can export, correct, or delete your data any time from
Account. - Our grievance officer responds within 30 days, usually faster.
1. Who we are (Data Fiduciary)
Glowyug is the Data Fiduciary for your personal data under DPDP. Reach our Grievance Officer at grievance@glowyug.com.
2. What we collect
| Category | Examples |
|---|---|
| Account | email, display name, language preference, sign-in timestamps |
| Quiz responses | answers to the assessment quiz, derived focus tags, recommended plan |
| Practice data | workouts completed, daily streak, exercise feedback (like/dislike) |
| Optional inputs | diary entries and skin photos — only when you choose to add them |
| Payments | Razorpay payment ID, plan purchased, refund history (we never see your card / UPI VPA) |
| Device + analytics | browser, OS, screen size, anonymized event timestamps, attribution UTMs from the link you arrived on |
3. Why we collect it (Purpose)
- Deliver your personalized plan— quiz responses and tags drive the program we recommend.
- Track your progress— streaks, completions, and area progress are stored so you see continuity day-to-day.
- Process payments and refunds— required by law to issue invoices and credit notes.
- Improve the Service— aggregated, anonymized usage helps us pick which exercises to add next.
- Send transactional emails— magic-link sign-in, purchase receipts, refund confirmations, weekly progress reports (only if opted in).
4. Lawful basis (DPDP §4 & §7)
We process your data based on:
- Consent— you give it explicitly when you submit the quiz, create an account, or enable a notification preference.
- Legitimate use— account security (anti-abuse, fraud prevention), service operation, and tax record-keeping.
5. Who we share with (Data Processors)
| Processor | Purpose |
|---|---|
| Google (Firebase) | Authentication, app database, file storage, hosting (asia-south1) |
| Razorpay | Payment processing & refunds (PCI-DSS compliant) |
| SendGrid | Transactional email delivery |
| Sentry | Crash and error reporting (no personal content captured) |
| Meta & Google (analytics) | Conversion attribution (only if you accept marketing cookies) |
We have written contracts with each Processor restricting them to the purposes above. We do not sell your personal data, ever.
6. Where your data lives
Your data is stored on Google Cloud servers in the asia-south1 (Mumbai) region. Some Processors (e.g. SendGrid, Sentry) operate from servers in the EU/US under Standard Contractual Clauses for cross-border transfer.
7. How long we keep it
- Account & practice data: as long as your account is active.
- After account deletion: removed within 30 days, except where law requires retention.
- Tax records: 8 years (Indian Income Tax Act).
- Pre-purchase guest sessions: 24 hours after creation.
- Crash logs: 90 days.
8. Your rights (DPDP §11–§14)
- Access — download a copy of your data from
Account → Export my data. - Correction — edit your name, language, and preferences in
Account; email us for anything else. - Erasure — delete your account from
Account → Delete account. - Withdraw consent — turn off marketing notifications, weekly reports, or photo uploads any time.
- Grievance redress — write to our Grievance Officer (below). We respond within 30 days, usually within 7.
- Nominate — you can nominate another person to exercise these rights on your behalf in case of incapacity or death.
9. Children’s data
Glowyugis for users 18 and older. We don’t knowingly collect personal data from children under 18. If you believe we have, write to us and we’ll remove it.
10. Cookies & tracking
We use a small number of essential cookies for sign-in and security. Marketing analytics cookies (Meta Pixel, GA4) only fire if you accept the cookie banner. You can change your choice from Account → Privacy.
11. Security
Data in transit is encrypted with TLS 1.3. Data at rest is encrypted by Google Cloud (AES-256). Access to production systems is restricted to a small number of authorized engineers using 2-factor sign-in. We log access for audit.
12. Breach notification
If a personal data breach occurs, we’ll notify the Data Protection Board of India and affected users within the timelines DPDP requires (currently 72 hours of becoming aware), and explain what happened and what we’re doing about it.
13. Grievance Officer
For any question, complaint, or rights request:
14. Changes
If we change this policy in a way that affects you, we’ll notify you by email at least 14 days before the change takes effect. The effective date at the top of this page always reflects the latest version.