Technical and organisational measures Gletra employs to protect user data across marketplace, chat, calls, wallet, and home services operations.
Updated June 19, 2026 6 min read Official Gletra Policy
Gletra Technologies Pvt. Ltd. is committed to protecting the personal data of all users through comprehensive technical and organisational security measures. This Data Protection Policy describes the safeguards we implement to ensure confidentiality, integrity, and availability of data processed across our multi-vendor marketplace, Gletra Chat, voice and video calling infrastructure, Gletra Wallet, Seller Panel, and home services platform.
Our data protection programme is aligned with ISO 27001 information security management principles, PCI-DSS requirements for payment data, RBI guidelines for prepaid payment instruments, and applicable provisions of the Digital Personal Data Protection Act, 2023. We continuously assess and improve our security posture through regular audits, penetration testing, and employee training.
Data protection is a shared responsibility. While Gletra implements platform-level safeguards, users must protect their account credentials, exercise caution when sharing personal information in chat or during calls, and report suspected security incidents promptly to security@gletra.com.
This policy supplements our Privacy Policy with technical and organisational detail. For information about data collection purposes and user rights, refer to the Privacy Policy and GDPR Compliance page.
Security Governance and Organisation
Security Governance and Organisation
Gletra maintains a dedicated information security function reporting to executive leadership. Our security governance framework includes documented policies, risk assessments, incident response procedures, and annual third-party security audits.
Chief Information Security Officer oversight of security programme
Quarterly risk assessments covering marketplace, wallet, and KYC systems
Annual ISO 27001-aligned external security audit
Mandatory security training for all employees upon hire and annually thereafter
Background verification for employees with access to production systems and KYC data
Encryption and Data Transmission
Encryption and Data Transmission
All data transmitted between user devices and Gletra servers is protected using industry-standard encryption protocols.
Data State
Protection Method
Standard
Data in transit
TLS 1.2+ encryption
All web, app, and API traffic
Sensitive data at rest
AES-256 encryption
KYC documents, payment tokens, wallet ledger
Database storage
Encrypted volumes
Production databases and backups
Chat messages
Encrypted in transit and at rest
Gletra Chat infrastructure
Password storage
Bcrypt hashing with salt
User authentication credentials
Access Controls and Authentication
Access Controls and Authentication
Access to personal data is restricted based on the principle of least privilege. Employees and contractors access user data only when necessary for their role and only through authenticated, logged, and monitored systems.
Multi-factor authentication required for all employee access to production systems
Role-based access control with quarterly access reviews and immediate revocation upon role change
Privileged access management with session recording for KYC and financial data access
Separate production and development environments with anonymised test data
API authentication using OAuth 2.0 and API key rotation policies for Seller Panel integrations
KYC and Financial Data Protection
KYC and Financial Data Protection
KYC documents and financial data receive enhanced protection commensurate with their sensitivity and regulatory requirements.
KYC document images stored in isolated encrypted storage with restricted access
Payment card data tokenised through PCI-DSS Level 1 certified payment processors—Gletra does not store full card numbers
Gletra Wallet ledger protected by transactional integrity controls and dual-authorisation for large transfers
Seller payout and provider settlement data accessible only to authorised finance personnel
KYC data retention schedules enforced automatically with secure deletion upon expiry
Chat and Call Data Security
Chat and Call Data Security
Communication data processed through Gletra Chat and calling features is protected by dedicated security controls.
Chat messages stored in encrypted databases with access logging
Call metadata retained separately from message content with equivalent encryption standards
Trust and safety review access requires dual authorisation and is fully audit logged
Automated content scanning for malware links and known fraud patterns in chat
Message export for legal requests processed through legal review workflow
Infrastructure and Network Security
Infrastructure and Network Security
Gletra production infrastructure is hosted on cloud platforms with enterprise-grade security certifications. Network security controls include web application firewalls, DDoS protection, intrusion detection systems, and network segmentation isolating payment and KYC systems from general application traffic.
Vulnerability management includes automated dependency scanning, monthly vulnerability assessments, and annual penetration testing by independent security firms. Critical vulnerabilities are remediated within 24 hours of confirmed identification.
Data Minimisation and Retention
Data Minimisation and Retention
Gletra collects and retains only data necessary for specified purposes. Automated retention enforcement deletes or anonymises data upon expiry of applicable retention periods defined in our Privacy Policy.
Product analytics and recommendation systems use anonymised or aggregated data where possible. Personal identifiers are removed from analytics datasets used for machine learning model training unless explicit consent applies.
Incident Response and Breach Notification
Incident Response and Breach Notification
Gletra maintains a documented incident response plan tested annually through tabletop exercises. Upon confirmed personal data breach, we execute the following response procedures.
Contain and assess breach scope within 4 hours of detection
Notify affected users and the Data Protection Board of India within 72 hours where required by law
Notify affected EEA/UK users and supervisory authorities per GDPR requirements where applicable
Provide guidance to affected users on protective measures such as password reset
Conduct post-incident review and implement remediation to prevent recurrence
Report suspected security vulnerabilities responsibly to security@gletra.com. We acknowledge valid reports within 48 hours and maintain a responsible disclosure programme for security researchers.
Third-Party Data Processors
Third-Party Data Processors
Gletra engages third-party processors for payment processing, cloud hosting, KYC verification, logistics, and analytics. All processors are assessed for security compliance before engagement and bound by data processing agreements requiring equivalent protection standards, breach notification obligations, and deletion upon contract termination.
Employee and Vendor Data Handling
Employee and Vendor Data Handling
All Gletra employees and contractors with data access sign confidentiality agreements and complete data protection training. Violations of data handling policies result in disciplinary action up to termination and legal referral. Vendor access to Gletra systems is time-limited, monitored, and revoked immediately upon project completion.
Frequently Asked Questions
KYC documents are stored in isolated encrypted storage using AES-256 encryption with access restricted to authorised compliance personnel under dual-authorisation controls. All access is audit logged. Documents are retained per regulatory requirements and securely deleted upon retention expiry.
No. Gletra uses PCI-DSS Level 1 certified payment processors that tokenise card data. We store only payment tokens and transaction references, never full card numbers. Card entry occurs on secure processor-hosted fields isolated from Gletra servers.
We execute our incident response plan immediately upon detection. Affected users are notified within 72 hours with details of compromised data and recommended protective actions. We notify regulatory authorities as required by the Digital Personal Data Protection Act and GDPR. Post-incident remediation prevents recurrence.
Chat messages are accessible to conversation participants and authorised trust and safety personnel under strict access controls for reported abuse investigations. Access requires dual authorisation and is fully audit logged. Routine employee access to chat content does not occur.
Yes. Wallet ledger data, transaction history, and linked bank account references are encrypted at rest using AES-256 and protected in transit with TLS 1.2+. Financial transactions use integrity controls preventing unauthorised balance modifications.
Email security@gletra.com with a detailed description of the vulnerability. Do not publicly disclose before Gletra confirms remediation. We acknowledge reports within 48 hours and maintain a responsible disclosure programme. Valid security reports may be eligible for recognition in our security hall of fame.
Legal Notice
This document forms part of the Gletra Terms of Service. Gletra Technologies Pvt. Ltd. reserves the right to update this policy at any time with reasonable notice. Material changes will be communicated via email, in-app notification, or a prominent notice on our platform. Continued use of Gletra after changes constitutes acceptance of the revised policy. For questions, contact legal@gletra.com.
