Privacy Policy

Effective: 15 March 2026

Tanris Technologies Pvt Ltd ("we", "us", "our", the "Data Fiduciary") operates the KarSafe mobile application. This policy describes how we collect, use, and protect your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.

1. Data Fiduciary

Tanris Technologies Pvt Ltd, a company incorporated in India, is the Data Fiduciary responsible for processing your personal data through the KarSafe application.

2. Personal Data We Collect

We collect and process the following personal data for the purposes stated below:

• Account Information: When you sign in with Google or Apple, we receive your name and email address from the identity provider. Purpose: Authentication and account identification.
• Documents: Documents you upload are encrypted on your device before being transmitted to our servers. We cannot read or access the contents of your documents. Purpose: Secure document storage as requested by you.
• Usage Data: Anonymous analytics (screen views, feature usage) via Firebase Analytics. No document contents or personally identifiable information is included. Purpose: Improving app stability and user experience.
• Crash Reports: Device model, OS version, and stack traces via Firebase Crashlytics. No document contents or encryption keys are included. Purpose: Diagnosing and fixing technical issues.

3. Consent

• We process your personal data based on your explicit, informed consent obtained during onboarding.
• You may withdraw your consent at any time by deleting your account from the Security screen in the app. Withdrawal of consent will result in permanent deletion of all your data.
• Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

4. Purpose Limitation

Your personal data is processed only for the following specific purposes:

• To authenticate you and provide access to your encrypted vault.
• To store your encrypted documents securely in cloud storage.
• To improve app stability and user experience through anonymous analytics.
• To communicate important account or service updates.

5. Encryption and Security

• All documents are encrypted on your device using AES-256 with a unique encryption key per document before upload. We never have access to your encryption keys or document contents.
• Your vault PIN and recovery phrase are used to derive encryption keys locally. They are never transmitted to or stored on our servers.
• Biometric authentication (Face ID / fingerprint) is handled entirely by your device's secure enclave. We do not receive or store biometric data.
• We maintain reasonable security safeguards to protect personal data from unauthorised access, use, modification, disclosure, or destruction.

6. Data Storage

• Account data and encrypted document metadata are stored in Google Cloud Firestore.
• Encrypted document files are stored in Google Cloud Storage.
• All data is hosted in secure, SOC 2 compliant Google Cloud infrastructure in India (asia-south1 region).

7. Data Sharing

We do not sell, rent, or share your personal data with third parties, except:

• With Google Cloud services for infrastructure (storage, authentication) — acting as a Data Processor on our behalf.
• When required by law, court order, or direction of any authority under Indian law.

8. Data Retention and Deletion

• Your data is retained only as long as your account is active and the purpose of processing is fulfilled.
• You can delete your account and all associated data at any time from the Security screen in the app. This permanently removes your profile, documents, and encryption keys from our servers.
• Deletion is irreversible and typically completes within 24 hours.
• We do not retain personal data beyond what is necessary for the stated purposes.

9. Your Rights Under DPDP Act

As a Data Principal, you have the following rights:

• Right to Access: You can export all your documents and data from the app at any time.
• Right to Correction: You can update your account information through your Google/Apple identity provider.
• Right to Erasure: You can delete your account and all data from within the app.
• Right to Withdraw Consent: You can withdraw consent at any time by deleting your account. This is as easy as giving consent.
• Right to Grievance Redressal: You may raise a complaint through the contact details below.
• Right to Nominate: In case of death or incapacity, your nominee may exercise your rights. Due to our zero-knowledge encryption, a nominee will need access to your recovery phrase to retrieve encrypted documents. Contact us at cr@tanris.in to learn more about the nominee process.

10. Children's Privacy

KarSafe is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. Data Breach Notification

In the event of a personal data breach that is likely to cause harm, we will notify the Data Protection Board of India as required under the DPDP Act. We will also take immediate steps to mitigate the breach and inform affected users.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes through the app or by email. Continued use of KarSafe after changes constitutes acceptance of the updated policy.

13. Grievance Redressal

If you have any questions, concerns, or grievances about this privacy policy or the processing of your personal data, please contact us at:

Tanris Technologies Pvt Ltd
Email: cr@tanris.in
We will acknowledge your grievance within 48 hours and endeavour to resolve it within 30 days.