Glianomics Terms of Use
Trackt Legal

Privacy Policy

This Privacy Policy explains how Glianomics Pvt Ltd collects, uses, stores, shares, and protects personal data when users access the TRACKT application and associated services.

Version
v2.1
Effective Date
01 May 2026
Owner
Glianomics Pvt Ltd
Last Updated
Loading…

1. Introduction

Glianomics Pvt Ltd ("Glianomics", "we", "us", "our"), operating the TRACKT platform, is committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the TRACKT application and associated services ("Service").

TRACKT is a behavioral wellness support platform designed for individuals managing their health, habits, and routines — including users on GLP-1 therapy. Given the sensitive nature of the data we process, we have designed this policy in line with India's Digital Personal Data Protection Act 2023 ("DPDP Act"), consistent with the Digital Personal Data Protection Rules 2025 ("DPDP Rules", as and when operative provisions commence), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("SPDI Rules"), and applicable data protection laws in other jurisdictions where users access the Service.

Our use of cookies and similar tracking technologies is described in our Cookie Policy, which forms part of this overall privacy framework.

Scope — Consumer Data Only. This Privacy Policy applies solely to personal data that Glianomics processes in its capacity as a Data Fiduciary in relation to individual users of the TRACKT application. It does not apply to data that Glianomics processes on behalf of businesses, institutions, or other entities under a separate data processing agreement. If you are a business entity accessing TRACKT under a commercial agreement, the data processing terms in that agreement govern the processing of data in that context.

Please read this Policy carefully. By registering an account, you acknowledge that you have read and understood this Policy.

2. Who We Are

Data Fiduciary (India) / Data Controller (applicable jurisdictions): Glianomics Pvt Ltd
21/1306 (2), SOMAN NAGAR, Karamana, Thiruvananthapuram-695002, Kerala, India
Email: privacy@glianomics.com

Grievance Officer: Bishnu Ravi Kesavan, Co-Founder, Glianomics Pvt Ltd
Email: grievance@glianomics.com
Available: Monday–Friday, 10:00 AM – 6:00 PM IST

Data Protection Contact (EU/GDPR applicable users): Bishnu Ravi Kesavan
Email: dpo@glianomics.com
[Note: formal DPO appointment deferred to EU launch — confirm scope with Legal]

3. Categories of Personal Data We Collect

3.1 Data You Provide Directly

  • Account information: name, email address, date of birth (for age verification), and profile details
  • Demographic information: age, gender (optional)
  • Health and lifestyle inputs: weight, body metrics, meals, mood, sleep, activity logs, and medication schedules (user-reported)
  • Interactions with the AI Coach and in-app communication features

3.2 Data Collected Automatically

  • Device and system data: device type, operating system, app version, device identifiers
  • Usage logs and interaction patterns: features used, session duration, response timing
  • Approximate location derived from IP address (country/region level only)
  • Cookies, pixel tags, and similar tracking technologies — see our Cookie Policy for details of the types of cookies used, their purpose, and how to manage your preferences

3.3 Sensitive Personal Data or Information (SPDI)

Under Rule 3 of the IT (SPDI) Rules 2011, the following data collected by TRACKT is classified as Sensitive Personal Data or Information and receives the highest level of protection:

SPDI CategoryData Collected by TRACKT
Health and medical recordsWeight, body metrics, medication schedules, GLP-1 therapy data, behavioral health logs
Biometric dataHRV, sleep patterns, activity metrics (via wearable integrations)
PasswordsAccount authentication credentials

You have the right to decline to provide SPDI. Where SPDI is required for core functionality (e.g., behavioral tracking), declining to provide it will limit the features available to you.

3.4 Data from Third-Party Integrations

TRACKT may receive data from third-party health platforms and wearable devices (Apple Health, Google Health, Samsung Health, connected wearables) that you choose to integrate. This data may include HRV readings, sleep data, step counts, and other biometric inputs.

You acknowledge that: (a) such data may contain inaccuracies, delays, or gaps; (b) Glianomics does not control or warrant the accuracy of data received from third-party integrations; and (c) AI outputs generated using this data may be affected by its quality.

3.5 Inferred and Derived Data

TRACKT's systems generate wellness indicators and behavioral patterns derived from your inputs. These derived outputs are used to provide personalized support features within the application. They represent informational interpretations of your interaction patterns and are not medical conclusions or clinical assessments.

4. How We Use Your Data — Purpose and Legal Basis

We process your personal data only for specific, defined purposes. The table below sets out each processing purpose, the data used, whether it is mandatory or optional, and the legal basis under DPDP Act 2023 and applicable law.

Processing PurposeData CategoriesMandatory / OptionalLegal Basis (DPDP Act)Legal Basis (GDPR, where applicable)
Account creation and authenticationAccount dataMandatoryConsent §6Contract Art 6(1)(b)
Delivery of core behavioral wellness featuresAll personal dataMandatory for core serviceConsent §6Contract Art 6(1)(b)
Processing of health and SPDI data for wellness analysisSPDI, behavioral dataMandatory for wellness featuresExplicit Consent §6Explicit Consent Art 9(2)(a)
Safety monitoring and harmful output preventionUsage logs, behavioral dataMandatoryConsent (§6); DPDP §7(h) for medical-emergency subset — responding to a threat to life or immediate threat to healthVital Interests Art 9(2)(c)
Personalized feature calibration (individual profile only)Interaction patternsMandatory for personalizationConsent §6Contract Art 6(1)(b)
Research and analytics using de-identified aggregate dataAnonymised dataOptional — Opt-in requiredSeparate Consent §6Explicit Consent Art 9(2)(a)
Service improvement using anonymised dataAnonymised data onlyOptional — Opt-in requiredSeparate Consent §6Explicit Consent Art 9(2)(a)
Marketing and promotional communicationsContact dataOptional — Opt-in requiredSeparate Consent §6Consent Art 6(1)(a)
Notifications and service communicationsContact dataOptional (required for reminders)Consent §6Consent Art 6(1)(a)
Cookie-based analytics and trackingCookie/device dataOptional — Opt-in required where applicableConsent §6Consent Art 6(1)(a)
Legal obligation complianceAs requiredMandatoryDPDP Act §7(c) — compliance with any judgment, decree or order, or any law for the time being in force in IndiaLegal Obligation Art 6(1)(c)

6. AI Processing and Personalization

6.1 AI in TRACKT. TRACKT uses AI systems to analyze your behavioral patterns and generate personalized insights, nudges, and recommendations. These systems are designed to be non-clinical and non-authoritative. Details of how these systems function at a technical level are proprietary and not disclosed in this policy.

6.2 Personalization vs. Model Training. Your interaction patterns with TRACKT are used to calibrate the behavioral nudges and suggestions you receive. This calibration occurs within your individual profile. Your personal data is not used to train AI or machine learning models that are shared across users. Only aggregate, de-identified data — which cannot reasonably be used to re-identify you — may be used for general service improvement, and only with your separate opt-in consent under Layer 3 above.

6.3 AI Output Limitations. AI outputs may be incomplete, inconsistent, or incorrect. All outputs are non-prescriptive and should not be relied upon for medical or clinical decisions.

6.4 Automated Processing. Some TRACKT features involve automated processing to generate wellness indicators and recommendations. These outputs are for informational purposes only and do not produce legally binding decisions. You may raise a grievance with the Grievance Officer if you believe an AI-generated output is inaccurate, inappropriate or has adversely affected you. This right operates through the grievance mechanism under §13 of the DPDP Act 2023.

7. Data Sharing and Disclosure

We do not sell your personal data.

We may share your data in the following limited circumstances:

7.1 Service Providers

We engage third-party service providers to support our infrastructure and operations. All service providers are required to have appropriate contractual arrangements in place governing the processing of personal data on our behalf and maintain equivalent security and compliance standards. We work with providers in the following categories:

  • Cloud infrastructure — hosting, storage, and computing services
  • AI and machine learning infrastructure — for processing and generating personalized outputs (AI features are not yet live at the date of this policy version; this category applies on activation)
  • Email and notification delivery — for service communications and reminders
  • Our push notification service provider is in the process of migrating to EU-based data centres; Glianomics will put in place appropriate contractual arrangements with this provider governing the processing of personal data.
  • Analytics — anonymised, aggregated data only
  • Payment processing — In-app subscriptions are currently processed through Apple App Store (iOS) and Google Play Store (Android), and any other payment platforms we make available from time to time. Glianomics does not collect or store payment card data; billing is governed by the terms of the relevant payment platform

A current list of our service provider categories is available on request at privacy@glianomics.com. We do not publish named vendor lists in this policy.

7.2 Legal Requirements

We may disclose your data when required by law, court order, or regulatory authority, including in response to requests from Indian law enforcement agencies, CERT-In, or the Data Protection Board of India.

7.3 Safety

We may disclose data where we reasonably believe disclosure is necessary to prevent serious harm to you or others.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will provide advance notice of such a transfer. If the acquiring entity's privacy practices are materially less protective, you may request deletion of your data within a reasonable period of that notice.

8. Data Retention

Retention periods are set out in full in our Data Retention & Erasure Policy.

For the purposes of this Policy, 'Archived User Data' means personal data that is no longer actively used for the primary purpose for which it was collected but is retained in a restricted-access archive pending deletion at the applicable retention period end.

For a detailed schedule of retention periods applicable to each category of personal data, please refer to our Data Retention & Erasure Policy available at [URL — to be inserted] or on request at privacy@glianomics.com.

We retain your personal data for as long as is necessary for the purposes for which it was collected, or as required by applicable law, regulatory obligation or legitimate legal proceedings. When personal data is no longer required, we delete or anonymise it, or where this is not possible (for example, because your personal data has been stored in backup archives), we securely store your personal data and isolate it from any further processing until deletion is possible.

Upon account deletion, your personal data will be queued for deletion within a reasonable period, except where retention is required by law or legal proceedings. See the Data Retention & Erasure Policy for full details and how to request erasure.

9. Your Rights as a Data Principal / Data Subject

Depending on the laws applicable to you, you have the following rights. To exercise any right, contact privacy@glianomics.com with proof of identity. We will respond within 30 days of receiving your verified request.

RightDescriptionBasis
Right to AccessObtain a copy of your personal data held by GlianomicsDPDP Act §11; GDPR Art 15
Right to CorrectionRequest correction of inaccurate or incomplete dataDPDP Act §12; GDPR Art 16
Right to ErasureRequest deletion of your personal dataDPDP Act §12; GDPR Art 17
Right to Withdraw ConsentWithdraw any consent at any time without affecting prior processingDPDP Act §6; GDPR Art 7(3)
Right to Data PortabilityReceive your data in a machine-readable formatGDPR Art 20 (applicable users)
Right to ObjectObject to processing based on legitimate interestGDPR Art 21 (applicable users)
Right to Restrict ProcessingRestrict processing in certain circumstancesGDPR Art 18 (applicable users)
Right to NominateNominate a representative to exercise your rights in the event of your death or incapacityDPDP Act §14 (India users)
Right to raise a Grievance regarding AI-generated outputsYou may raise a grievance with the Grievance Officer if you believe an AI-generated output is inaccurate, inappropriate or has adversely affected you. This right operates through the grievance mechanism under §13 of the DPDP Act 2023. Note: the DPDP Act 2023 does not provide a standalone right to automated-decision review equivalent to GDPR Article 22.DPDP Act §13 (grievance redressal)

Exceptions: Some rights may be subject to legal exceptions (e.g., legal hold obligations, fraud prevention). We will notify you of any applicable exception at the time of your request.

Escalation: If you are not satisfied with our response, you may lodge a complaint with:

  • India: Data Protection Board of India under DPDP Act §27 (complaint filing procedures are published by the Board at its official portal)
  • Applicable jurisdiction: Your competent data protection supervisory authority

10. Security

We implement technical and organisational security measures appropriate to the nature and sensitivity of the data we process. These include:

  • Industry-standard encryption of data at rest and in transit
  • Role-based access control with least-privilege principle
  • Multi-factor authentication for privileged system access
  • No developer access to identifiable production data; anonymised datasets used for development and testing
  • Secure cloud infrastructure
  • Continuous monitoring and audit logging, retained in accordance with our security policy
  • Regular vulnerability assessments and penetration testing
  • Incident response procedures including regulatory notification capability

For full details, see our Internal Security & Data Protection Policy (available on request at privacy@glianomics.com).

11. Data Breach Notification

In the event of a personal data breach:

  • We will notify CERT-In within 6 hours of becoming aware of a cyber security incident, as required under the CERT-In Directions 2022
  • We will notify the Data Protection Board of India and affected Data Principals in accordance with the timelines and procedures prescribed under the DPDP Act 2023 and DPDP Rules 2025
  • Where GDPR applies, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
  • We maintain an internal breach register in accordance with applicable legal requirements

12. International Data Transfers

Your data is stored on cloud infrastructure. Where your data is transferred to or accessed from outside India, Glianomics ensures that appropriate safeguards are in place in accordance with applicable law. For transfers from India, we comply with the cross-border transfer requirements under the DPDP Act 2023 and DPDP Rules 2025, including in relation to countries or territories notified by the Central Government.

For users where GDPR or equivalent legislation applies: transfers of your personal data outside your jurisdiction are made subject to appropriate transfer safeguards as required by applicable law. You may request details of the transfer mechanisms in use by writing to privacy@glianomics.com.

13. Children's Privacy

Age Restriction. TRACKT is not intended for individuals under 18 years of age.

Verifiable Parental Consent. In accordance with DPDP Act 2023 §9 and DPDP Rules 2025, we will not process personal data of a child (defined as an individual under 18 years) without obtaining verifiable consent from the child's parent or lawful guardian. We implement age-verification measures at registration for this purpose.

Prohibitions. We do not engage in behavioral monitoring, targeted profiling, or behavioral advertising directed at minors.

Discovery of Minor Accounts. If we discover that a user is under 18 and parental consent has not been properly obtained, we will suspend the account and initiate deletion of the data associated with that account, in accordance with the DPDP Rules 2025.

Parental Rights. A parent or lawful guardian may exercise data rights (access, correction, erasure) on behalf of a child by contacting privacy@glianomics.com with appropriate verification.

14. Changes to This Policy

Non-material changes (contact detail updates, formatting, clarifications that do not alter the substance of processing): We will provide reasonable advance notice via update of the "Effective Date" and an in-app notification.

Material changes (new data categories, new processing purposes, new third-party sharing, changes that are less protective of your rights): We will provide advance notice via email to your registered address and in-app notification before the change takes effect. Your affirmative re-consent will be required where the change requires it under applicable law. If you do not consent to a material change, you may close your account and request data deletion.

15. Grievance Officer and Contact

For privacy queries, data rights requests, or complaints:

Grievance Officer: Bishnu Ravi Kesavan, Co-Founder, Glianomics Pvt Ltd
Address: 21/1306 (2), SOMAN NAGAR, Karamana, Thiruvananthapuram-695002, Kerala, India
Email: grievance@glianomics.com
Privacy Queries: privacy@glianomics.com
EU/GDPR Contact: dpo@glianomics.com
Available: Monday–Friday, 10:00 AM – 6:00 PM IST

If you are not satisfied with the outcome of your grievance, you may escalate to the Data Protection Board of India under DPDP Act §27, or to your applicable supervisory authority.