Privacy Policy

This Privacy Policy applies to services provided by Glamco Exim Private Limited (CIN: U74999JH2019PTC013344), a company incorporated under the Companies Act 2013, registered at Registrar of Companies, Jharkhand, with its registered office at:

We are the data controller for personal data processed through the Glamco Exim platform.

We collect the following categories of personal data:

Account Registration Data

• Full name, email address, mobile number
• Password (stored as a bcrypt hash — never in plain text)
• Role (Buyer / Constructor / Contractor)
• City of residence

Transaction Data

• Booking details: flat ID, project, amounts, payment milestones
• Payment references (Razorpay transaction IDs)
• Bid submissions and tender interactions

Uploaded Documents

• Identity proof, income documents, or property-related files you choose to upload

Technical / Usage Data

• IP address, browser type, device type
• Pages visited, session duration, click patterns (analytics)
• Login timestamps and activity logs

We use your personal data to:

• Provide Services: Create and manage your account, process bookings, facilitate payments.
• Verify Identity: Send OTPs to confirm email and mobile during registration and sensitive actions.
• Communications: Send transactional emails (booking confirmations, payment receipts, OTPs, notifications).
• Platform Safety: Detect and prevent fraud, abuse, and unauthorised account access.
• Analytics: Understand platform usage to improve features and user experience.
• Legal Compliance: Meet our obligations under Indian law, including the Information Technology Act 2000 and applicable RBI guidelines.

We do not use your data for unsolicited marketing without your explicit consent.

When you register or perform sensitive actions, we generate a one-time password (OTP) sent to your email and/or mobile number. Regarding OTP data:

• OTPs are stored in our database as plain text only until they are used or expire (10 minutes).
• Expired and used OTPs are automatically marked and are not re-usable.
• We rate-limit OTP requests to 5 per hour per identifier to prevent abuse.
• OTP delivery logs (for operational troubleshooting) are retained for 30 days and then auto-deleted.
• We never share OTP values with third parties.

We do not sell your personal data. We share data only in these limited circumstances:

• Payment Processing: Razorpay receives transaction data necessary to process payments. Razorpay is PCI-DSS compliant.
• SMS Gateway: Your mobile number is shared with our SMS provider solely to deliver OTPs.
• Constructor / Contractor: When you book a property or a bid is awarded, relevant parties receive the data necessary to fulfil the transaction.
• Legal Obligations: We may disclose data if required by a court order, government authority, or to enforce our legal rights.
• Business Transfer: In the event of a merger or acquisition, your data may be transferred to the successor entity, with prior notice.

We use the following types of cookies:

• Essential Cookies: Session cookies required for login and CSRF protection. Cannot be disabled.
• Analytics Cookies: Anonymous usage statistics to improve the platform (opt-out available in settings).

We do not use advertising or tracking cookies. You can control cookie settings through your browser preferences.

• Account data is retained for as long as your account is active, plus 3 years after closure (for legal compliance).
• Transaction records are retained for 7 years as per Indian accounting regulations.
• OTP logs are retained for 30 days.
• Activity logs are retained for 1 year.
• Uploaded documents are retained until you delete them or close your account.

• Passwords are stored using bcrypt with cost factor 12 — never in plain text.
• All data transmission is protected via HTTPS/TLS.
• CSRF tokens protect all form submissions.
• XSS prevention via output escaping on all user-generated content.
• SQL injection prevention via prepared statements throughout.
• Rate limiting on login attempts and OTP requests.
• Regular security audits and vulnerability assessments.

While we take strong measures to protect your data, no method of internet transmission is 100% secure. We encourage you to use a strong, unique password.

Under applicable Indian law (Information Technology Act 2000 and its rules), you have the following rights:

• Access: Request a copy of personal data we hold about you.
• Rectification: Update inaccurate data through your profile settings.
• Erasure: Request deletion of your account and personal data (subject to legal retention obligations).
• Portability: Request your data in a machine-readable format.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at admin@glamcoexim.com with subject line "Data Rights Request". We will respond within 30 days.

Glamco Exim is intended for use by adults (18+). We do not knowingly collect personal data from individuals under 18. If we become aware that a child has provided us with personal information, we will delete it promptly. If you believe a child has registered on our platform, please contact us immediately.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Effective Date" at the top of this page.
• Send a notification to your registered email address.
• Display a notice on the platform dashboard.

Your continued use of the platform after updates constitutes acceptance of the revised policy.

For any privacy-related queries, requests, or concerns, please contact: