🔒 PRIVACY POLICY

We Built This to Protect Your Data.
We Won't Misuse It Either.

Saaph.in is a privacy product. Our entire purpose is to help you remove your data from the internet — so we hold ourselves to a higher standard than most companies. This policy explains exactly what we collect, why, where it lives, and the rights you have under India's DPDP Act 2023.

📅 Effective: 10 June 2026 📍 Governing law: India (DPDP Act 2023) 📧 Grievance Officer: data@saaph.in
🛡️
Our core commitments — in plain language

Your data is stored and processed in India, encrypted at rest and in transit, and used only to run your scan and send the removal requests you approve. We never sell, rent, or share your personal data, we show no ads and run no tracking pixels, and we never store your passwords. You can access or delete your data at any time.

In this policy
  1. Who We Are
  2. What We Collect & Why
  3. How We Use Your Data
  4. Where It's Stored & Who Processes It
  5. What We Explicitly Don't Do
  6. Cookies & Analytics
  7. Your Rights Under DPDP Act 2023
  8. Children's Data
  9. Data Retention
  10. Security & Breach Notification
  11. Changes to This Policy
  12. Grievance Officer & Contact
01

Who We Are

Saaph.in is operated by Ronin Works Private Limited, a company registered in India (Hyderabad, Telangana). Saaph is a tool that helps individuals discover where their personal data is exposed across Indian and global platforms and prepare and send their own data-erasure requests under the Digital Personal Data Protection Act 2023 ("DPDP Act").

For the purposes of the DPDP Act, Ronin Works Private Limited (operating as "Saaph", "we", "us", "our") is the Data Fiduciary for the personal data you provide to us, and you are the Data Principal. When you use Saaph to send a removal request, Saaph acts only as a communication facilitator that transmits your own request to the relevant company at your instruction, with you kept in copy and the company asked to reply to you directly. Saaph does not act as your legal, authorised, or other representative or agent, does not exercise your rights for you, and does not take on any legal representation of you. You remain the Data Principal exercising your own rights, and the requests are your own.

02

What We Collect & Why

We collect only what we need to find and remove your exposed data. You provide most of it yourself during onboarding.

DataWhy we collect it
Name, email(s), phone, cityYour "footprint" — used to search for your exposure and to address removal requests correctly.
Usernames / handles (optional)To check for public profiles registered to you.
Scan results & findingsWhat we discovered (accounts, data-broker listings, breach exposure) so we can show your report and track removals.
Breach exposureWhether your email appears in known data breaches, checked against breach-intelligence databases.
Removal recordsWhich companies were contacted, when, the 90-day deadline, and status.
Preferred contact emailSo companies reply directly to you (you are CC'd on every removal email).
Consent & account recordsTo prove you agreed to our terms and to manage your account/login.
Feedback you submitTo improve the product (only if you choose to send it).
🔑
We never store your passwords

If you check whether a password has leaked, that check happens inside your browser using k-anonymity — only a short, partial fingerprint of the password is used, and the password itself never leaves your device and is never sent to us.

03

How We Use Your Data

We use your data only to deliver the service:

  • To run your scan — checking breach databases and Indian/global data brokers for your information.
  • To draft and send DPDP erasure requests you approve to the companies holding your data, with you CC'd.
  • To track each request's 90-day statutory deadline and let you send follow-ups or escalate.
  • To re-scan periodically (data re-appears) and alert you to new exposure.
  • To operate your account, provide support, and respond to your requests.

We do not use your data to build advertising profiles, train AI models, or for any purpose you haven't agreed to.

Legal basis & consent. We process your data on the basis of the consent you give when you create an account and start a scan. You can withdraw consent at any time by closing your account or emailing us — withdrawal stops further processing (though it doesn't undo actions already taken at your request, such as a removal email already sent).

04

Where It's Stored & Who Processes It

Your personal data is stored and processed in India (Mumbai region), encrypted at rest and in transit. See our Security & Data Residency page for detail.

To run the service we rely on a small number of reputable third-party processors, bound by contract to protect your data and use it only on our instructions. We use them by category, not to monetise your data:

  • Cloud infrastructure (database & compute) — enterprise-grade, hosted in India.
  • Authentication — a dedicated login provider (we never see your Google/phone credentials).
  • Email delivery — to transmit your removal requests (with you kept in copy) and send account emails.
  • Breach-intelligence databases — queried to check exposure; password checks use k-anonymity so no password leaves your device.

The only other parties who receive your data are the companies you direct us to contact for a removal — and only the details necessary for that request (with you CC'd). We do not sell, rent, or share your data with anyone else.

05

What We Explicitly Don't Do

Because we're a privacy company, we think it's important to be explicit:

  • ❌ We do not sell, rent, or trade your personal data to anyone.
  • ❌ We do not share your data with advertisers or marketing platforms.
  • ❌ We do not run ad-network tracking or tracking pixels.
  • ❌ We do not send your data to data brokers (that would defeat our purpose).
  • ❌ We do not show targeted ads anywhere on Saaph.
  • ❌ We do not use your data to train AI models.
  • ❌ We do not read or store your passwords.
  • ❌ We do not keep your data after account closure beyond what the law requires.
06

Cookies & Analytics

We use only the cookies and storage strictly necessary for the service to work:

  • Authentication — keeps you signed in to your account (Firebase).
  • Security — bot / abuse protection (Google reCAPTCHA & App Check).
  • Payments — only on the checkout flow (Razorpay).
  • Preferences & local storage on your device — theme, session, and your in-progress footprint and report so the app works smoothly. You can clear it any time from your browser.

We do not use advertising cookies, third-party ad/analytics trackers, or any cookie that follows you across other websites. Any internal usage metrics are aggregated counts with no personal identifiers.

Your consent (DPDP Act 2023). On your first visit we show a consent notice and record your choice. Because Saaph uses only essential cookies, accepting keeps the service working; there are no advertising or analytics cookies to opt into (a control for future privacy-first analytics stays off unless you turn it on). Your consent is as easy to withdraw as to give — use the "Cookie preferences" link in the footer at any time to review or change it. For signed-in users we keep a record of the consent given, as required for demonstrable consent under the DPDP Act 2023.

07

Your Rights Under DPDP Act 2023

As a Data Principal you have the right to:

  • Access — a summary of the personal data we hold about you.
  • Correction & updating — fix anything inaccurate or incomplete.
  • Erasure — delete your account and associated data.
  • Withdraw consent — stop further processing at any time.
  • Grievance redressal — raise a complaint and have it addressed.
  • Nominate — nominate another person to exercise your rights in the event of death or incapacity.

To exercise any right, email data@saaph.in with the subject "DPDP Rights Request". We aim to acknowledge within 7 business days and complete the action within 30 days. If you're not satisfied with how we handle your grievance, you may escalate to the Data Protection Board of India.

08

Children's Data

Saaph is intended for adults (18+). We do not knowingly process the personal data of a child without verifiable parental/guardian consent, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children, in line with the DPDP Act. If you believe a child has provided us data, contact data@saaph.in and we will delete it.

09

Data Retention

We keep your data only as long as needed to provide the service:

  • Your footprint, scan history, and removal records are deleted within 30 days of closing your account.
  • Breach/password checks are not stored as standalone records once your scan is complete.
  • Where payments apply in future, payment records may be retained for the period required by Indian financial/tax law and are held by a PCI-DSS-compliant payment processor, not by us.
  • Anonymised, aggregated statistics (containing no personal identifiers) may be retained to improve the service.
10

Security & Breach Notification

We apply strong, industry-standard safeguards:

  • All data is encrypted in transit (TLS) and at rest.
  • We never store your passwords; login is handled by a dedicated authentication provider.
  • Access to systems is restricted to authorised personnel, with logging.
  • Processing is pinned to India (Mumbai).
⚠️
In the event of a data breach

We will notify affected users and the Data Protection Board of India within the timeframe required by the DPDP Act, and be transparent about what was affected and the steps we are taking.

11

Changes to This Policy

We may update this policy when our practices change or when required by law. For material changes we will notify account holders by email before the change takes effect. The effective date at the top shows when this version was last updated; previous versions are available on request.

12

Grievance Officer & Contact

For any question about this policy, to exercise your rights, or to raise a grievance, contact our Grievance Officer:

Grievance Officer — Ronin Works Private Limited (Saaph.in)
📧 data@saaph.in
📞 +91 8333012111
📍 Hyderabad, Telangana, India
⏱ Response time: within 7 business days
⚖️ Governing law: DPDP Act 2023 & IT Act 2000 (India)