The biggest risk in any trading service is the platform itself. Glimpse is built so our systems cannot withdraw or transfer your exchange funds. Here's how that works in plain English.
When you connect Bybit or Toobit, Glimpse only accepts a trading-only API key. Withdrawals are blocked at the source. Even if every part of our system were compromised tomorrow, no attacker could move funds out of your account through us.
The keys you give us are encrypted the moment we receive them, with industry-standard authenticated encryption. They're only decrypted in memory, briefly, when the desk needs to place a trade. Never written to a log, never returned to your browser, never copied to a backup in the clear.
Glimpse is not a custodian. Your funds sit on your own Bybit or Toobit account at all times. We never hold a balance on your behalf. If we were to vanish tomorrow, you log into your exchange and trade as you always could. No bridge to unwind. No queue to wait through.
Every read and write is gated below the interface: you can only see your own records. That isn't a screen-level check we could forget. It is built into the private data layer, so a bug in the app still cannot expose another customer's information.
Every connection (to your browser, to your exchange, to our payment processor) runs over modern encrypted transport. Every order request is signed and verified. Every payment notification is signature-checked before we trust it.
Service issue on our side? The desk pauses. Exchange unreachable? Orders queue and retry, with the user notified. Conditions deteriorate mid-trade? The desk tightens to flat instead of pressing. Empty days are cheaper than wrong days.
Glimpse needs order placement and account/position reads. It does not need withdrawals, transfers, account-management permissions, deposits, or your exchange password. Revoke the key from your exchange dashboard and Glimpse stops receiving access.
API keys with withdrawal permission are refused. Toobit does not currently expose every permission flag over its REST API, so users must set Withdrawals off manually during key creation and keep exchange account security enabled.
You can pause Glimpse in the dashboard or delete the API key at Bybit or Toobit. Exchange-side deletion wins immediately because Glimpse can no longer authenticate order requests.
There is no SOC report, penetration-test letter, or external audit to claim yet. Until one exists, this page sticks to controls users can inspect: permissions, custody boundary, encryption posture, disclosure contact, and revocation path.
We have a no-questions-asked vulnerability disclosure policy. If you find a security issue, write to us before publishing it. Our target response is one business day, and we credit you publicly if you’d like.