Where is my data stored?

In India. Our database and scan service both run in the Mumbai region, so your personal data never leaves the country.

Is my data encrypted?

Yes. All data is encrypted at rest with AES-256 and encrypted in transit over TLS. Nothing is stored or sent in plain text.

Does my password ever leave my device when I check it?

No. The password check uses k-anonymity: your password is hashed inside your browser and only the first 5 characters of that hash are sent. The full password never leaves your device.

Never. We don't sell, rent, share, or advertise against your data. We use it only to run your scan and send removal requests you approve.

Security & Data Residency — Saaph.in | Your Data Stays in India

🛡️

The short version

Your data is stored in India, encrypted at rest and in transit, used only to run your scan and send removals you approve, and never sold, shared, or advertised against. Password checks happen in your browser using k-anonymity. You can delete everything anytime.

On this page

Where your data lives (India)
Encryption
Private password checks (k-anonymity)
What we collect & how it's used
What we never do
Your control & deletion
Our infrastructure

Where your data lives — in India 🇮🇳

Data residency matters under the DPDP Act 2023, and for trust. Both halves of Saaph run in the Mumbai region of India:

Your account & scan data — stored in our database, hosted in Mumbai, India.
The scan service — also runs in Mumbai, India.

Your personal data is processed and stored on Indian soil — it doesn't get shipped to a US or EU data centre.

Encryption — at rest and in transit

Everything is encrypted, both while stored and while moving:

At rest: all stored data is encrypted with AES-256 by default on our cloud infrastructure — nothing is kept in plain text.
In transit: every connection between your browser, our scan engine, and the database uses HTTPS / TLS.
Authentication is handled by a dedicated, industry-standard authentication provider — we never see or store your Google/phone login credentials.

Private password checks — k-anonymity

When you check whether a password has leaked, the password never leaves your device. We hash it inside your browser and send only the first 5 characters of that hash to the breach database — which matches hundreds of possible hashes at once, so no service can tell which one is yours. This technique is called k-anonymity. It's the same method trusted privacy tools use, and it means we never see your password.

What we collect & how it's used

We collect only what's needed to find and remove your exposed data:

Your footprint — name, emails, phone, city, usernames you choose to add.
What it's used for — solely to check breach databases and Indian data brokers for your information, and to send DPDP erasure requests you approve.
Removal emails — sent to the company, with you CC'd, so companies reply directly to you.

We don't use your data to train models, build profiles, or target ads.

What we never do

❌ Sell, rent, or share your personal data with third parties.
❌ Show you ads or run ad-network / tracking pixels.
❌ Store your data outside India.
❌ Read or store your passwords.
❌ Send a single removal email without your approval.

Your control & deletion

Under the DPDP Act 2023 you are the Data Principal and stay in control:

Your footprint is kept in your browser and your private Saaph account — you can delete it anytime.
You approve every removal email; nothing is sent on your behalf without you.
Questions or a deletion request? Email data@saaph.in.

Our infrastructure

Saaph runs on enterprise-grade cloud infrastructure pinned to India — the same class of platform that secures countless apps worldwide. Static pages are served over a global CDN; all personal data processing stays in Mumbai.

🆓

Free until December 2026

Scanning and all tools are free through Dec 2026. Run your free scan →

Your data stays in India.Encrypted. Never sold.