Privacy Policy
Last updated: January 2025 · Effective: January 1, 2025
Indiagram is built on a zero-knowledge principle: we collect the minimum data required to operate and never sell, trade, or share your personal information with third parties for commercial purposes. This policy explains what we collect, why, and your rights under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian law.
1. Who We Are
Indiagram ("we", "us", "our") is an anonymous civic intelligence platform operated from India. Our registered contact for data matters is privacy@indiagram.in.
2. What Data We Collect
2.1 Account Data
- Email address — required only for account creation and magic-link login. We do not store passwords.
- Display name / handle — optional, chosen by you, can be a pseudonym.
- City preference — optional, used to personalise local feeds.
2.2 Content Data
- Posts, tips, media, and knowledge contributions you submit.
- Votes, reactions, and poll responses.
- Channel messages (stored for 180 days per DPDP guidelines).
2.3 Technical Data
- IP address (for rate limiting and geo-tagging of reports; retained 90 days).
- Browser/device type via User-Agent (for analytics; never linked to identity).
- Session tokens (hashed with SHA-256; expire in 30 days).
2.4 What We Do NOT Collect
- Government ID, Aadhaar, PAN, or any KYC documents.
- Payment information (we have no paid tier).
- Device identifiers, contacts, or location beyond city-level.
3. How We Use Your Data
- To operate and personalise your Indiagram experience.
- To detect and prevent abuse, spam, and illegal content.
- To send you magic-link emails you explicitly requested.
- To comply with lawful orders from Indian courts and CERT-In.
4. Data Sharing
We do not sell your data. We may share data with:
- Service providers — hosting (Hostinger), email delivery (SMTP), AI analysis (OpenAI, if enabled) — all under data processing agreements.
- Law enforcement — only when required by a valid legal order under Indian law. We will notify you unless prohibited by the order.
5. Anonymous Submissions
You may submit tips, reports, and media without creating an account. Anonymous submissions are assigned a one-time cryptographic session ID that is not linked to any personal data. We cannot reverse-identify anonymous contributors unless legally compelled and technically capable.
6. Retention
- Account data: retained while your account is active + 30 days after deletion request.
- Published content: retained unless you delete it or an admin removes it for policy violations.
- IP logs: 90 days.
- Channel messages: 180 days.
- Consent logs: 7 years (regulatory requirement).
7. Your Rights (DPDP Act, 2023)
- Right to access — request a copy of all data we hold about you.
- Right to correction — request correction of inaccurate data.
- Right to erasure — request deletion of your account and personal data.
- Right to grievance redressal — lodge a complaint with our Grievance Officer.
To exercise any right, email privacy@indiagram.in with subject line "DPDP Request". We will respond within 30 days.
8. Cookies
We use a single session cookie (httpOnly, SameSite=Lax) required for login. We do not use tracking or advertising cookies. Analytics, if enabled, uses privacy-first tools (Plausible) with no cross-site tracking.
9. Security
All data is encrypted in transit (TLS 1.2+). Passwords are never stored — we use magic-link authentication only. Session tokens are hashed with SHA-256. We conduct periodic security reviews.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be announced on the platform 30 days before taking effect. Continued use constitutes acceptance.
11. Contact
Grievance Officer: privacy@indiagram.in
Response time: Within 30 days as required by DPDP Act, 2023.