Privacy Policy

GLOW CONNECT (“glowConnect”, “we”, “us”) operates the glowConnect marketplace across our mobile apps and the web application at app.glowconnect.in . This Privacy Policy applies to personal data we process in connection with these services.

Please read it alongside our Terms of Use . Terms defined there have the same meaning here.

For the purposes of the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), GLOW CONNECT is the Data Fiduciary for personal data processed through the Platform.

Contact for data-protection matters:

• Grievance Officer / DPO: Sohin A. Kumar
• Email: support@glowconnect.in
• Phone: +91 80789 57508
• Address: Rajithanivas, Kuttimakkool Road, Thiruvangad P.O., Thalassery, Kannur — 670103, Kerala, India

We collect the following categories of personal data:

• Identity & contact: name, email address, mobile number (from bookings), optional profile photo.
• Authentication data: Google Sign-In identity tokens, Apple Sign-In identity tokens, and our own session tokens. We do not see or store your Google or Apple password.
• Messaging & communication data: message content (text), image attachments, message read receipts, emoji reactions, service mentions, booking references, conversation metadata, and message deletion timestamps.
• Booking & transaction data: preferred date and time, number of people, service details, address (for location-based services), special requests/notes, provider responses, and booking status history (pending, accepted, declined, completed, cancelled).
• Provider profile: business name, business description, business logo and banner images, business address, portfolio images (before/after photos), service descriptions, pricing, and availability.
• Location data: for Providers, a fixed pin location submitted during onboarding. For Customers, approximate or precise GPS coordinates (depending on permission granted), cached search locations, and distance calculations for nearby service discovery.
• Subscription & billing metadata: subscription status, plan tier (plan_1, plan_2, plan_3), trial state, period end date, auto-renewal status, RevenueCat subscriber identifier, and purchase history. We do not receive or store your full payment card number, CVV, or Apple/Google account password — those are held by Apple, Google, or the payment gateway.
• Favourites & wishlist: saved services and providers for quick access.
• Reviews & feedback: feedback content, ratings (1-5 stars), image attachments (up to 5MB), and provider responses.
• Device & usage data: device model and platform (iOS / Android / Web), app version, language, IP address, coarse timezone, FCM/APNs tokens (push notification identifiers), and diagnostic events.
• Search history & preferences: search queries, category filters, price ranges, gender preferences, distance preferences, and viewed services.
• Support tickets: the content of support requests you submit and attachments you share.

We collect personal data:

• Directly from you when you create an account, complete your profile, publish Services, or contact support.
• Automatically from your device when you use the Platform (logs, device type, diagnostic events).
• From third parties when you sign in with Google or Apple (identity tokens), or when RevenueCat notifies us that your subscription has started, renewed, or ended.

We process personal data for these purposes:

• Account creation and authentication — legitimate purposes and your consent under the DPDP Act.
• Providing the marketplace service — performance of the contract formed on account creation.
• Search and discovery (showing nearby Services, filtering by category) — performance of the contract and your consent for location use.
• Subscription management (trialing, active, expiry cascade, grace-window handling) — performance of the subscription contract.
• Safety and fraud prevention — our legitimate interests and, where necessary, compliance with law.
• Support and communications (transactional email, in-app messages) — performance of contract and your consent for marketing communications where required.
• Legal compliance — tax, record-keeping, response to lawful requests.

Where the DPDP Act requires consent, we obtain it from you before processing. Consent is taken at account creation for core processing, and at the point of use for features that access sensitive signals such as location. You can withdraw consent at any time, with effect going forward, by adjusting the relevant setting in the app or by writing to support@glowconnect.in.

Withdrawing consent required for a core feature may mean you can no longer use that feature. Withdrawing consent does not affect processing that occurred before the withdrawal.

We share personal data only with the service providers we need to operate the Platform, and only for the purposes described in this policy. These processors are bound by contract to keep your data confidential and to process it only on our instructions.

Data Sharing Between Users

As a marketplace, glowConnect enables communication and transactions between Customers and Providers. This means certain personal data is shared between users:

• Messaging: When you send messages to another user, they can see your name, profile photo (if set), and message content. Both participants in a conversation can access the message history, including image attachments and reactions.
• Booking requests: When you request a booking, the Provider sees your name, contact information (email, phone number), preferred date/time, number of people, address (for location-based services), and any special requests or notes. The Customer sees the Provider's business name, contact details, service details, and provider responses.
• Provider notes: Providers can add internal notes to bookings that are visible to the Customer. These notes typically address service questions or special requirements.
• Reviews: Feedback content, ratings, and image attachments are publicly visible on the Provider's profile. Providers can respond to reviews, and both the review and response are public.

Public Profile Information

The following information is publicly visible to all users of the Platform:

• For Providers: Business name, business description, service listings, pricing, availability, portfolio images (before/after photos), business address, public reviews and ratings, and average rating score.
• For Customers: Name (as displayed in profile), profile photo (if set), and public reviews posted.
• No public display: Email addresses, phone numbers, exact GPS coordinates, authentication tokens, subscription status, and internal diagnostic data are never publicly displayed.

Other Disclosures

We also disclose personal data:

• Where required by law, in response to lawful requests from public authorities.
• To protect our rights or the safety of others, or in connection with a merger, acquisition, or reorganisation (under equivalent privacy protections).
• To our service providers (processors listed above) solely for the purposes described.

glowConnect includes a real-time messaging system that enables direct communication between Customers and Providers. Here's how messaging data is handled:

• Message content: Text messages, image attachments, emoji reactions, and service/booking references are stored in our database and delivered via WebSocket connections to both participants in real-time.
• Read receipts: When you read a message, the sender sees a read indicator. This timestamp is stored and shared with the message sender.
• Message deletion: You can delete messages you sent. Deletion timestamps are recorded, but messages may remain in the recipient's local app storage. Deleting a conversation removes it from your view but does not delete it from the Platform or the other participant's view.
• Attachments: Image attachments (chat photos) are stored on our servers and shared with the conversation participant. We restrict uploads to image MIME types and enforce size limits (typically 5 MB per image).
• Service mentions: Messages can reference specific services or bookings, creating links within conversations. These references are stored and displayed to both users.
• Retention: Message history is retained while your account is active and for up to 12 months after account closure, unless you delete specific messages or conversations. After retention periods end, messages are permanently deleted.

Messages are only accessible to the conversation participants. Our team does not read message content except when necessary for support, safety, or legal compliance.

glowConnect uses location data to connect Customers with nearby Providers and for map-based service discovery. Here's how location data is collected and used:

• GPS coordinates: With your permission, we collect precise or approximate GPS coordinates from your device. This is used to calculate distances to Providers and to show nearby services.
• Provider location: Providers submit a fixed pin location (their business address) during onboarding. This location is displayed to Customers on maps and used for distance calculations.
• Search location: When you search for services, we cache your search location to improve relevance. This cached location is stored on your device and in your user preferences.
• Distance calculations: We use the Haversine formula to compute distances between your location and Provider locations. These calculations happen server-side.
• Google Maps API: We use Google Maps API for address validation, autocomplete suggestions, and map display. Your search queries may be sent to Google for autocomplete. Google may log these queries per their privacy policy.
• Location access: Location access is optional. You can use the Platform without granting location permission, but nearby service discovery will not be available.

Location data is never sold to third parties. We only share location data with Google Maps API for the purposes described above. Providers can see your approximate location (city/distance) when you request a booking, but not your precise GPS coordinates.

The booking system is core to glowConnect's marketplace functionality. Here's how booking data is handled:

• Customer data shared with Provider: When you submit a booking request, the Provider sees your name, email address, phone number, preferred date/time, number of people, address (for location-based services), and any special requests or notes.
• Provider data shared with Customer: Customers see the Provider's business name, contact details, service descriptions, pricing, and any provider notes or responses to the booking.
• Booking status workflow: Bookings progress through statuses: pending → accepted or declined → completed or cancelled. Each status change is recorded with timestamps.
• Provider notes: Providers can add notes to bookings (e.g., confirming availability, asking clarifying questions). These notes are visible to the Customer and stored with the booking record.
• Cancellation: Customers can cancel bookings. Providers may have compensation policies for late cancellations or no-shows. Booking history, including cancellations, is retained for both parties.
• Retention: Booking records are retained while your account is active and for up to 8 years after completion for tax and accounting purposes.

Booking data is only shared between the Customer and Provider involved in the transaction. Other users cannot see your booking history or details.

glowConnect features a public review and feedback system. Here's how review data is handled:

• Public display: Reviews, ratings (1-5 stars), and image attachments are publicly displayed on the Provider's profile. Other users can see this content to make informed decisions.
• Reviewer information: Your name and profile photo (if set) are displayed alongside your review. This helps build trust and authenticity.
• Image attachments: You can attach images to reviews (e.g., before/after photos). Images are moderated and must comply with our content guidelines. File size limits apply (typically 5MB per image).
• Provider responses: Providers can respond to reviews. Both the review and the response are publicly visible. Providers cannot edit or delete customer reviews.
• Deletion: You can delete your own reviews at any time. Once deleted, the review is removed from the Provider's profile and is no longer publicly visible.
• Moderation: We moderate reviews for spam, fake content, harassment, and policy violations. Reviews that violate our guidelines may be removed without notice.
• Retention: Reviews are retained indefinitely while the Provider account is active. Deleted reviews are removed from public display within 24 hours but may remain in our databases for up to 30 days.

Reviews are a core part of our marketplace and help maintain quality and trust. We encourage honest, constructive feedback.

Search and discovery features help Customers find the right services. Here's how search data is handled:

• Search queries: We store your search queries and filter preferences to improve relevance and provide personalized recommendations.
• Filter preferences: Category, price range, gender preference, and distance filters are saved to your profile and used to tailor search results.
• Viewed services: Services you click or view are logged to improve search ranking and to provide “recently viewed” functionality.
• Favourites: You can save services to your favourites list for quick access. This list is stored in your profile and is only visible to you.
• Search indexing: If enabled, we use Meilisearch to index service descriptions, titles, and categories for fast, relevant search results.
• Location-based search: When location permission is granted, search results are sorted by distance and filtered to show nearby services first.

Search history and preferences are used only to improve your experience and are not shared with third parties for advertising purposes.

glowConnect offers tiered subscription plans for Providers. Here's how subscription and billing data is handled:

• Plan tiers: We offer three subscription tiers (plan_1, plan_2, plan_3) with different features and pricing. Your active plan is stored in your profile.
• RevenueCat integration: We use RevenueCat, a third-party subscription management platform, to process mobile subscriptions. RevenueCat handles receipt validation, subscription state syncing, and webhook notifications.
• Payment data: We do NOT receive or store your full payment card number, CVV, or Apple/Google account password. Payment processing is handled securely by Apple (iOS) or Google (Android) via their respective payment APIs.
• Trial periods: We offer trial periods for new subscribers. Trial status and period end dates are stored in your profile and synced with RevenueCat.
• Auto-renewal: Subscriptions auto-renew at the end of each billing period unless cancelled. You can manage auto-renewal in your Apple/Google account settings.
• Cancellation: You can cancel your subscription at any time. Access continues until the end of the current billing period. Cancellations are processed by Apple/Google, and we receive cancellation notifications via RevenueCat webhooks.
• Refunds: Refunds are handled by Apple or Google according to their respective refund policies. We cannot process refunds directly but can assist with refund requests.
• Retention: Subscription records and billing events are retained for up to 8 years to meet tax and accounting obligations.

Your subscription status and plan tier are visible in your profile and are used to control access to premium features. Other users cannot see your subscription details.

Some of our processors are located outside India, as shown in the table above. Where we transfer personal data outside India, we do so in accordance with the DPDP Act and any notifications issued under it. We take reasonable steps to ensure the transfer is protected by appropriate safeguards, including contractual commitments.

We retain personal data only for as long as necessary:

• Account profile: while your account is active and for up to 12 months after closure, to handle reopen requests and legal claims.
• Subscription records and billing events: up to 8 years, to meet tax and accounting obligations.
• Support correspondence: up to 24 months after resolution.
• Device logs: up to 180 days.

When a retention period ends, or when you exercise the right to erasure and we confirm eligibility, we delete or anonymise the data.

We use reasonable and generally accepted security measures to protect personal data, including:

• TLS 1.2+ encryption for all data in transit between your device and our servers.
• Password hashing using bcrypt; we never store passwords in plain text.
• Role-based access control for our team; production access is limited to authorised personnel and audited.
• Firewalled infrastructure, fail2ban on SSH and nginx, and regular security patches.
• Server-side validation on all API endpoints and signed JWTs for session management.

No method of electronic transmission or storage is 100% secure. In the event of a breach that is likely to result in a risk to your rights, we will notify you and the Data Protection Board of India as required by the DPDP Act.

Subject to the DPDP Act and the conditions set out there, you have the right to:

• Access a summary of the personal data being processed and the processing activities undertaken.
• Correction, completion, and updation of inaccurate or incomplete personal data.
• Erasure of personal data that is no longer necessary or where you withdraw consent.
• Grievance redressal through our Grievance Officer.
• Nomination — nominate another individual to exercise your rights in the event of your death or incapacity.
• Withdraw consent to any consent-based processing with effect going forward.

To exercise any of these rights, write to support@glowconnect.in from the email address associated with your account. We will respond within 30 days. If you are dissatisfied with our response, you may also approach the Data Protection Board of India.

glowConnect is not directed at children and we do not knowingly collect personal data from individuals under 18 years of age. If you believe we have collected personal data from a child, please contact us at support@glowconnect.in so we can delete it.

You can delete your glowConnect account at any time. We support two paths:

• Inside the app: Account → Delete Account. You will receive a one-time code by email to confirm the request. The same option is available on the web at app.glowconnect.in/account .
• Without signing in: visit app.glowconnect.in/account/delete and submit your account email. We will send a verification link to that email; clicking the link starts the deletion.

30-day recovery window

Once a deletion request is confirmed, your account is marked for deletion and you are signed out everywhere. For 30 days you can sign in again and recover the account in one tap. After 30 days, an automated process permanently erases your data and the account cannot be recovered.

What is hard-deleted after 30 days

• Your account profile, avatar, and authentication credentials.
• Your provider profile, services, portfolio images, banner, logo, and search index entries (if you were a Provider).
• Your push notification tokens, notification preferences, favourites, search history, and feed telemetry.
• Your chat-template snippets, support tickets, and feedback submissions.
• All file attachments you uploaded (avatar, banner, logo, service photos, chat images, support attachments).

What is anonymized (not deleted) so other users keep their history

• Reviews you wrote about Providers stay on the Provider's public profile so future Customers still benefit from genuine feedback. Your name and avatar are replaced by “Deleted user” and a neutral placeholder.
• Conversations you had with other users remain visible to the surviving participant, so they keep their chat history. Your messages stay; your sender name and avatar render as “Deleted user”.
• Bookings remain in the surviving party's booking history with your name, contact details, and address fields anonymized.

Admin retention for safety, legal, and support

During the 30-day recovery window, our internal admin and support team can still see your unanonymized data (this is needed to investigate fraud reports, respond to legal requests, and assist if you change your mind). After the 30-day cascade runs, even admins can no longer see your data.

Subscriptions on Apple and Google

Deleting your glowConnect account does not cancel an active App Store or Play Store subscription. Apple and Google control the recurring payment, not us. To stop future charges you must cancel on the platform itself: Apple ID → Subscriptions → glowConnect, or Google Play → Profile → Payments & subscriptions → glowConnect. The deletion confirmation email and the in-app success screen include direct links to these settings.

This table summarises the data collected by our Android app, aligned with the Google Play Data Safety form. The full definitions of each category are in Google Play's Data Safety documentation.

All data is encrypted in transit. Users can request deletion through the channels described in Section 11.

This table summarises the data linked to your identity in our iOS app, aligned with the App Store Privacy “nutrition label” categories.

glowConnect does not use any third-party tracking SDKs and does not build advertising profiles about users.

On the web application, we store a small number of first-party cookies and local-storage entries that are strictly necessary for the Platform to function — for example, to keep you signed in between pages. We do not use third-party analytics cookies, advertising cookies, or tracking pixels at the effective date of this policy.

Because none of our current cookies track behaviour across other websites, a cookie consent banner is not required under the DPDP Act or the e-Privacy frameworks we align with. If we add analytics or advertising technology in the future, we will seek your consent before that technology is activated.

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email and inside the Platform and update the Effective Date at the top of this page. The previous version will be available from us on request.

In accordance with Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Section 10 of the DPDP Act, the Grievance Officer for data-protection matters is:

• Name: Sohin A. Kumar
• Email: support@glowconnect.in
• Phone: +91 80789 57508
• Address: Rajithanivas, Kuttimakkool Road, Thiruvangad P.O., Thalassery, Kannur — 670103, Kerala, India

The Grievance Officer will acknowledge receipt of a complaint within 24 hours and will respond within 30 days. If you are dissatisfied with the response, you may approach the Data Protection Board of India.

For general questions, write to support@glowconnect.in or call +91 80789 57508. For postal correspondence: GLOW CONNECT, Rajithanivas, Kuttimakkool Road, Thiruvangad P.O., Thalassery, Kannur — 670103, Kerala, India.