Glimetry logo Glimetry
Privacy Architecture

Privacy by design, not by policy

Three actors. Three separate data scopes. A clean, plain-English picture of where data lives — and what is structurally impossible for an employer to ever see.

The data flow

Three actors, three scopes

Every piece of data in Glimetry sits inside one of three boundaries. Nothing crosses unless it has been deliberately stripped of identifiers.

Employee

Sees their own data — only.

A private dashboard with full personal history. Nothing is mirrored back up to the employer.

  • Profile, gym check-ins, wearables
  • Daily score breakdown
  • Sleep & heart-rate records
  • Monthly qualification status
Employer

Sees the population — never the person.

A live dashboard of aggregate, anonymized engagement metrics. No row of data is tied to a name.

  • Enrollment count & participation rate
  • Average engagement score
  • Activity mix (gym / wearable / sleep)
  • Estimated savings vs. benchmark
Fitness Studio

Sees only their own check-ins.

A studio dashboard scoped to a single location. Members are anonymized IDs, never names.

  • Anonymized member ID
  • Timestamped check-ins at this location
  • Monthly check-in count per member
  • Nothing about benefits or health
The wall

What is structurally out of reach

The employer portal queries only aggregate tables. Individual records are never joined to employer-visible queries — not by policy, but by architecture.

Out of reach

An employer can never see…

  • Employee names linked to scores or activity
  • Weight, BMI, or any medication detail
  • Sleep, heart rate, or workout logs by person
  • Anything below the population aggregate
Under your control

An employee always controls…

  • Whether to participate at all
  • Which sources connect (Apple Health, wearable…)
  • Difficulty tier and monthly targets
  • Disconnecting or deleting at any time
How verification works

Four steps. Nothing personal travels up.

A check-in becomes a number on the employer dashboard without any name, history, or identifier ever crossing the wall.

01
Employee
QR scan at the gym

The app shows an anonymized session token — never a name, ID, or health detail.

02
Studio
Check-in logged

The studio records a timestamped event tied to the anonymized member, scoped to their location.

03
Employee
Score updated

The verified check-in raises the employee's engagement score in real time — visible to them only.

04
Employer
Aggregate refreshed

Population averages and participation rates recalculate. No individual record ever appears.

More questions about privacy?

Read the FAQ for the full breakdown — or get in touch and we'll walk you through it.

Read the FAQ → partners@glimetry.com