Privacy Policy

Last updated: May 27, 2026

GlowReader ("we", "us") is operated from India. This Privacy Policy explains what data we collect when you use the GlowReader mobile app or web service, why we collect it, who we share it with, and the rights you have over it. We have written this policy to be accurate and specific rather than legally hedged — if anything is unclear, please email [email protected].

1. Who we are

GlowReader is an AI-powered reading companion for children aged 5–12. Parents and teachers create an account, photograph a printed book page, and we OCR the text so it can be read aloud, highlighted word-by-word, and explained by an AI coach. Our intended primary user is the accountholder (an adult); children use the service under that adult's supervision and account.

2. What data we collect

We collect only what is needed to run the service. Specifically:

  • Account data — your email address, your name, a one-way hashed password (bcrypt), and your subscription plan.
  • Pages you scan — the image of the page you photograph is uploaded to our cloud storage, and the OCR-extracted text plus word positions are stored against your account so the reader can re-open the page.
  • Reading interactions — counters of how many scans, read-alouds, and AI-coach queries you have used in the current billing month (to enforce your plan limits).
  • Payment metadata — when you upgrade, we store the Razorpay order/payment identifiers and the amount, currency, and timestamp. We never see or store your card or UPI details; those are entered directly into Razorpay's payment sheet.
  • Authentication signals — failed login attempts and lockout timestamps, used to block brute-force attacks.
  • Diagnostic emails — emails you send us via the Contact Support flow remain in our support inbox.

We do not collect device advertising IDs, location, contacts, microphone audio, or any analytics about behaviour inside the app. We do not embed third-party advertising or tracking SDKs.

3. How we use your data

  • Email + password: authenticate you, deliver verification codes and password-reset links, contact you about critical service or security issues.
  • Name: personalise the in-app experience and address you in transactional emails.
  • Page images and OCR text: deliver the reading feature — extract words, position them on the rendered page, synthesise the audio narration, generate coach explanations.
  • Usage counters: enforce the limits of your subscription plan.
  • Payment metadata: maintain a billing record, issue refunds, comply with Indian tax and audit obligations.

4. Who processes your data on our behalf

We use a small number of vetted service providers (called "sub-processors") to operate the service. Each is contractually bound to use your data only to deliver the service we have requested:

  • Google Cloud Vision (Google LLC, USA) — OCR extraction from page images. Images are processed in transit and are not retained by Google for training.
  • Sarvam AI (Sarvam AI Pvt Ltd, India) — speech synthesis (text-to-speech) and the AI Reading Coach explanations.
  • Amazon Web Services (S3) (Amazon Web Services Inc.) — encrypted storage of your scanned page images.
  • Razorpay (Razorpay Software Pvt Ltd, India) — payment processing for paid subscriptions.
  • Resend (Resend Inc., USA) — delivery of transactional emails (verification codes, password resets).

We do not sell, rent, or trade your personal data to any third party. We do not share it for advertising purposes.

5. International data transfer

Some of the sub-processors above (Google, AWS, Resend) operate outside India. When your data is transferred to them, we rely on their contractual data-protection commitments. You consent to this transfer by using the service.

6. How long we keep your data

  • Account, scanned pages, OCR text: kept while your account is active. Deleted within 30 days of you closing your account (see section 8).
  • Payment audit trail: retained for up to 8 years after the transaction, as required by Indian tax law. After you close your account, these records are anonymised — your user-id is removed, so the record continues to exist for audit but is no longer linked to you personally.
  • Cached audio: speech-to-text audio is cached keyed by a hash of the text plus voice settings, not by user. The cache is shared and is not personal data.
  • Support emails: retained for up to 3 years for historical reference, then deleted.

7. Your rights

You are the "Data Principal" under India's Digital Personal Data Protection Act, 2023. You have the right to:

  • Access a copy of the personal data we hold about you — email us and we will respond within 30 days.
  • Correct any inaccurate personal data — most fields can be edited inside the app; for the rest, email us.
  • Delete your account and associated data (see section 8).
  • Withdraw consent at any time by closing your account.
  • File a grievance with our Grievance Officer (see section 13).

8. Account deletion

You can delete your account in two ways:

  • From inside the mobile app: Settings → Delete Account. You will be asked to re-enter your password to confirm.
  • By email: send a deletion request from your registered email address to [email protected]. We will confirm and complete the deletion within 30 days.

Deletion removes your account, your scanned pages, your OCR data, and your subscription. Payment records are anonymised(your identity removed) rather than deleted, as explained in section 6.

9. Children's privacy

GlowReader is designed for children to use under a parent's or teacher's account; we do not allow children to create accounts directly. The accountholder must be 18 or older.

We do not knowingly collect personal data directly from a child beyond what the accountholder enters on their behalf (such as the text on a scanned book page). We do not show advertisements to any user. We do not profile children for personalisation outside the reading session itself.

Parents and teachers control everything in the account: they can view, delete, or export the data via the procedures in sections 7 and 8.

10. Security

  • Passwords are stored as bcrypt hashes — we cannot see or recover them.
  • API traffic is encrypted in transit using HTTPS (TLS).
  • Authentication tokens are stored in HttpOnly cookies and the mobile OS keystore.
  • Failed login attempts trigger an automatic 15-minute lockout after 5 attempts.
  • Page images are stored in private cloud storage with signed, short-lived URLs.

No system is perfectly secure. If we ever discover a personal-data breach that meaningfully affects you, we will notify you and the appropriate authorities as required by Indian law.

11. Cookies and tracking

The GlowReader mobile app does not use cookies or third-party analytics SDKs. The web site uses Google Analytics solely to count anonymous visits to public pages (landing, pricing, privacy, terms) and a single cookie for your login session. No cross-site or advertising cookies are set.

12. Changes to this policy

If we make material changes, we will update the "Last updated" date at the top and, for significant changes, send a notice to your registered email at least 7 days before the change takes effect. Continued use of the service after a change means you accept the updated policy.

13. Contact and Grievance Officer

For any privacy question, data-access request, deletion request, or complaint, write to:

Grievance Officer
GlowReader
Email: [email protected]

We will acknowledge your request within 7 days and respond substantively within 30 days, as required by the DPDP Act, 2023.

14. Governing law

This policy and your use of GlowReader are governed by the laws of India. Any disputes will be subject to the exclusive jurisdiction of the courts at [Gandhinagar].