Privacy Policy

1. Information We Collect

We collect information in the following categories:

a. Account information

• Name, email address, and profile picture (sourced from Google Sign-In or phone OTP)
• Phone number (where you choose to provide it)

b. Vehicle information

• Make, model, year, variant, and fuel type of vehicles you register
• Service history and odometer readings you enter manually

c. Submitted content

• Symptom descriptions and free-text queries you enter for vehicle diagnosis
• Insurance policy documents (PDF, image) uploaded for analysis — see Section 4 for full details
• Community posts, replies, and reactions

d. Usage and device data

• Pages visited, features used, and timestamps of interactions
• Device type, operating system, and browser/app version
• IP address (used for security and abuse prevention only)

2. How We Use Your Information

• To deliver vehicle diagnosis, insurance analysis, claim-decision, and community features
• To personalise your dashboard with your registered vehicles and saved history
• To improve the accuracy of our AI-powered analysis models
• To send transactional notifications (analysis ready, reply to your post) — never unsolicited marketing without your explicit consent
• To detect, investigate, and prevent fraud, abuse, and security incidents
• To comply with applicable Indian law, including the Digital Personal Data Protection Act, 2023 (DPDPA)

3. Legal Basis for Processing

We process your personal data under the following lawful bases as recognised by the DPDPA 2023:

• Consent — you explicitly agree when creating an account or uploading a document
• Contractual necessity — to fulfil the service you have requested
• Legitimate interest — for security monitoring and product improvement, where your rights are not overridden
• Legal obligation — where Indian law requires us to retain or disclose data

4. Insurance Documents — Handling, Storage & Protection

Insurance policy documents are among the most sensitive financial records a user can share. We treat them accordingly.

Upload and transit

• All file uploads are transmitted over TLS 1.2+ encrypted connections. Files are never sent over unencrypted channels.
• Files are uploaded directly to our cloud storage bucket via a signed, time-limited URL — your document never passes through an intermediate server in plaintext.

Processing

• Uploaded documents are parsed by our backend pipeline (OCR + structured extraction) to identify policy terms, exclusions, IDV, and coverage gaps.
• Processing is performed in an isolated, short-lived compute environment. Raw document bytes are not logged or cached during processing.
• We do not share uploaded documents with any third-party advertising network, data broker, or insurance company.

Storage

• The original document file is stored in encrypted cloud object storage (AES-256 at rest) linked exclusively to your authenticated user account.
• Storage is scoped by Row Level Security (RLS) policies — no other user or internal process can access your document without your account credentials.
• Documents are retained for as long as your account is active so that you can re-access your analysis history. You may delete individual documents or your entire account at any time (see Section 8).
• If you delete a document or your account, files are permanently and irreversibly deleted from all storage layers within 30 days.

What we extract and store

• We store the structured analysis output (policy type, coverage amounts, identified gaps, risk score) separately from the raw document.
• The structured output does not contain your Aadhaar number, PAN, bank account details, or any biometric data — these are never extracted or stored.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Cloud infrastructure providers — we use Google Cloud (Cloud Run, Cloud Storage, Vertex AI) and Supabase to host and operate the platform. Both operate under strict data-processing agreements and do not use your data for their own purposes.
• Authentication provider — Google Sign-In processes your Google account credentials under Google's own privacy policy.
• Community posts — content you post publicly in the Community section is visible to other registered users. Do not include sensitive personal or financial information in public posts.
• Legal disclosure — we may disclose data if required by a court order, regulatory authority, or other lawful process under Indian law. We will notify you of such requests where legally permitted.

6. Data Security

• All data in transit is protected by TLS 1.2 or higher
• All data at rest is encrypted using AES-256
• Database access is governed by Supabase Row Level Security (RLS) — each row of user data is cryptographically scoped to its owner
• Authentication tokens are short-lived JWTs; refresh tokens are rotated on every use
• Internal access to production data is restricted to authorised personnel and is logged
• We conduct periodic security reviews of our infrastructure and dependencies

No system is 100% secure. If you suspect a security incident involving your data, contact us immediately at privacy@vahansense.com.

7. Data Retention

• Account data and saved analyses are retained for as long as your account remains active
• Session logs and IP records used for security are retained for a maximum of 90 days
• Anonymised, aggregated usage statistics (no personal identifiers) may be retained indefinitely for product improvement
• Upon account deletion, all personally identifiable data — including uploaded documents, vehicle records, and community posts — is permanently deleted within 30 days

8. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDPA) and general data-protection principles, you have the right to:

• Access — view all personal data we hold about you from your in-app profile and history
• Correction — update inaccurate account or vehicle information at any time
• Portability — export your data in a machine-readable format via the “Download My Data” feature
• Erasure — delete individual documents, analyses, or your entire account from app settings; permanent deletion within 30 days
• Withdraw consent — withdraw your consent to processing at any time; this will not affect the lawfulness of processing before withdrawal
• Grievance redressal — raise a complaint with our designated Data Protection Officer (see Section 11)

9. Cookies & Tracking

This website uses only strictly necessary cookies for authentication and session management. We do not use:

• Third-party advertising or retargeting cookies
• Cross-site tracking technologies
• Social media pixel trackers

You may clear cookies through your browser settings at any time. Doing so will log you out of your session.

10. Children's Privacy

VahanSense is intended for users aged 18 and above. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, please contact us and we will delete it promptly.

11. Legal Entity & Data Controller

VahanSense is owned and operated by VahanSure Technologies, a registered small business (MSME) under the Government of India's Udyam scheme.

Udyam Registration No.: UDYAM-MH-26-1130616

Data Protection Officer / Grievance Officer:
For DPDPA-related concerns or formal grievances, email privacy@vahansense.com with the subject line “Data Privacy Grievance”. We acknowledge complaints within 48 hours and aim to resolve them within 30 days.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. For material changes, we will notify registered users via in-app notification or email at least 14 days before the change takes effect. Continued use of VahanSense after that date constitutes acceptance of the revised policy.

13. Contact Us

For any privacy-related question, data access request, or concern, reach us at:
privacy@vahansense.com — we respond within 24 hours on business days.