Legal

Privacy Policy

📅 Effective: 1 June 2025🔄 Last updated: 1 June 2025📍 Governed by Indian law (DPDP Act 2023)
Plain English Summary: Sanchay collects only what's needed to run the service. We never sell your data. Health and financial information is sensitive — we treat it that way. You can delete everything at any time. We comply with India's Digital Personal Data Protection Act, 2023.

1. Who We Are

Sanchay ("we", "our", "us") is a personal record-keeping platform that helps Indian families and NRIs track health records, insurance policies, renewal dates, and family wealth (mutual fund SIP). Sanchay is operated by [Your Full Legal Name / Partnership Name], based in India.

For purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are the Data Fiduciary with respect to the personal data you provide.

2. What Data We Collect

2.1 Account Data

When you create an account, we collect your email address and a hashed (encrypted) password. We do not store your password in plain text — ever.

2.2 Data You Enter Into the App

CategoryExamplesWhy collected
Person profilesName, date of birth, relationship, blood group, allergies, medical conditions, emergency contactTo display emergency info and personalise records
Insurance policiesPolicy name, number, type, premium, renewal date, insurerTo track and remind you of renewals
Medical reportsReport name, date, lab/doctor, findings, uploaded filesTo maintain a personal medical history
Financial dataMutual fund names, invested amount, units heldTo display portfolio value using live AMFI NAV
DocumentsPDF scans, JPG/PNG images uploaded by youTo store and display your documents on demand

2.3 Technical Data

We collect standard technical data: IP address, browser type, device type, pages visited, and time of access. This is used solely for security monitoring and improving the service.

2.4 What We Do NOT Collect

  • We do not collect Aadhaar, PAN, or government ID numbers
  • We do not collect payment card numbers (handled by Razorpay, a PCI-DSS compliant processor)
  • We do not collect location data beyond your stated country
  • We do not collect biometric data

3. How We Use Your Data

  • To provide the service — storing your records, calculating renewal dates, displaying live NAV
  • To send reminders — email (and WhatsApp on NRI Pro plan) alerts before policy renewals, if you have enabled this feature
  • To manage your account — authentication, billing, and support
  • To improve the service — aggregated, anonymised usage analytics (e.g. which features are most used). No individual data is analysed for this purpose
  • To comply with law — if legally required by Indian authorities
⚠️ We are not a financial advisor or insurance broker. Sanchay is a record-keeping and reminder tool only. Nothing in the app constitutes financial, insurance, or medical advice.

4. Sensitive Personal Data

Under the DPDP Act 2023, certain data is classified as Sensitive Personal Data and requires explicit consent before collection. The following data you may enter into Sanchay falls into this category:

  • Health and medical information (conditions, allergies, lab results)
  • Financial data (policy premiums, investment amounts)
Your explicit consent: By creating an account and entering this data, you provide explicit, informed consent for Sanchay to store and process it solely for the purpose of delivering the service to you. You may withdraw consent at any time by deleting your account. Withdrawal of consent will result in permanent deletion of all your data within 30 days.

We apply additional safeguards to sensitive data:

  • Encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Accessible only to you and family members you explicitly invite
  • Never used for advertising, profiling, or third-party sharing
  • Row-level security — our own team cannot query your records without audit trail

5. Data Storage & Security

Where is data stored?

All data is stored on Supabase servers located in Singapore (ap-southeast-1) — the nearest region to India with enterprise-grade data centres. Supabase is SOC 2 Type II compliant.

Security measures we implement

  • AES-256 encryption at rest for all database records and files
  • TLS 1.2+ encryption for all data in transit
  • Row-Level Security (RLS) — database enforces that users can only access their own data
  • Rate limiting on all authentication endpoints
  • Email verification required for new accounts
  • Session expiry and automatic logout
  • No plain-text passwords stored — bcrypt hashing via Supabase Auth

Data breaches

In the event of a data breach that is likely to cause harm to you, we will notify you by email within 72 hours of becoming aware of it, as required under the DPDP Act 2023.

6. Third-Party Services

ServicePurposeData sharedTheir privacy policy
SupabaseDatabase, authentication, file storageAll app data (encrypted)supabase.com/privacy
VercelWeb hostingIP address, request logsvercel.com/legal/privacy-policy
RazorpayPayment processingEmail, payment amount (no card numbers)razorpay.com/privacy
ResendTransactional email (reminders, OTP)Email address onlyresend.com/privacy
AMFI India APILive mutual fund NAV dataNo personal data sent — only scheme code queriesamfiindia.com

We do not sell, rent, or trade your personal data to any third party for any purpose, including advertising.

7. Your Rights Under DPDP Act 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

7.1 Right to Access

You can view all personal data Sanchay holds about you at any time by logging into your account. You may also request a full data export by emailing support@sanchay.app.

7.2 Right to Correction

You can update or correct any of your personal data directly within the app at any time. If you need help correcting data you cannot access, contact us.

7.3 Right to Erasure (Right to be Forgotten)

You may delete your entire account and all associated data from Settings → Delete Account. All data including uploaded documents will be permanently deleted within 30 days. This action is irreversible.

7.4 Right to Withdraw Consent

You may withdraw consent for processing sensitive data at any time by deleting your account. Note that withdrawal means we cannot continue providing the service.

7.5 Right to Grievance Redressal

If you believe your data rights have been violated, contact our Grievance Officer (see Section 13). If unresolved, you may escalate to the Data Protection Board of India once established.

7.6 Right to Nominate

You may nominate another individual to exercise your data rights in the event of your death or incapacity. Contact us to register a nominee.

8. Data Retention

  • Active accounts: Data is retained for as long as your account exists
  • Deleted accounts: All data permanently deleted within 30 days of account deletion
  • Inactive accounts: Accounts with no login activity for 3 years will receive a deletion warning email. If no response, account and data will be deleted 90 days later
  • Payment records: Retained for 7 years as required by Indian tax law (GST compliance)
  • Security logs: IP and access logs retained for 90 days for fraud detection, then auto-deleted

9. Children's Privacy

Sanchay is not intended for use by children under the age of 18. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has created an account, contact us immediately at support@sanchay.app and we will delete the account promptly.

You may add children as "people" within a family member's account (e.g. tracking a child's medical records), but the account holder must be 18 or older.

10. Cookies

Sanchay uses only strictly necessary cookies to maintain your login session. We do not use:

  • Advertising or tracking cookies
  • Third-party analytics cookies (e.g. Google Analytics)
  • Any cookies that track you across other websites

The session cookie is deleted when you sign out or close your browser.

11. International Users (NRI)

If you access Sanchay from outside India (e.g. USA, UK, UAE, Singapore, Canada), your data is still stored on servers in Singapore and governed by Indian law (DPDP Act 2023). By using the service, you consent to this transfer and storage.

For users in the European Union: while we are primarily governed by Indian law, we endeavour to meet GDPR standards as a matter of good practice. Contact us for a GDPR data processing addendum if required.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes — especially to how we handle sensitive data — we will:

  • Email you at least 14 days before the change takes effect
  • Display a prominent notice in the app
  • Update the "Last updated" date at the top of this page

Continued use of Sanchay after the effective date constitutes acceptance of the updated policy. If you disagree with any changes, you may delete your account before the effective date.

13. Contact & Grievance Officer

As required under the DPDP Act 2023, we have appointed a Grievance Officer to address data-related concerns.

Grievance Officer

Name:[Your Name]
Address:[Your City, State, India — PIN code]
Response time:Within 7 business days

For general queries: support@sanchay.app