Trust & Data Practices
Transparency in how we collect, store, protect, and let you control your data
Data Residency: Your Data Stays in India
Where Your Data Lives
Cloud Provider:
AWS (Amazon Web Services) or Microsoft Azure with India-based data centers
Physical Location:
Mumbai & Hyderabad (AWS) or Pune, Chennai & Mumbai (Azure)
Compliance:
Meets India's data localization requirements
Why India Hosting Matters
- Data Sovereignty: Your data is subject to Indian laws, not foreign jurisdictions
- Low Latency: Faster response times for seamless conversations
- Trust & Transparency: We choose India hosting even though it's not legally mandated
Note: While the DPDP Act 2023 doesn't mandate data localization for all data types, we voluntarily choose India hosting to build trust with our Indian users and ensure data sovereignty.
Encryption & Security
Data at Rest
All stored data is encrypted using industry-standard AES-256 encryption
• Database: Encrypted volumes
• File storage: Encrypted buckets
• Backups: Encrypted snapshots
Data in Transit
All communications use TLS 1.3 encryption (HTTPS)
• Website: HTTPS only
• API calls: TLS 1.3
• No insecure HTTP connections
Access Control
Role-based permissions and multi-factor authentication
• MFA for admin access
• Least privilege principle
• Regular access audits
Privacy-First Crisis Detection
How We Protect Your Privacy While Keeping You Safe
Many users wonder: "If MannSetu uses zero-knowledge encryption and can't read my messages, how can it detect if I'm in crisis?" The answer is on-device AI.
What Happens On Your Device
- 1.Your conversations are analyzed locally by AI running on your phone or browser
- 2.If crisis patterns are detected, your device triggers the safety modal
- 3.Emergency resources (Tele-MANAS 14416, etc.) are pre-loaded for instant, offline access
What We Never See
- The content of your conversations
- What triggered the crisis detection
- Your specific words, thoughts, or feelings
The key message: Your conversations are analyzed locally on your device. We never see your messages - but your device can still detect crisis situations and show you emergency resources. This is how MannSetu provides both complete privacy AND effective safety protection.
Data Retention Policy
| Data Type | Retention Period | User Control |
|---|---|---|
| Chat History | 90 days (auto-delete after) | Can delete anytime |
| Mood Entries | Until account deletion | Can delete individual entries |
| Journal Entries | Until user deletes | Full control |
| Voice Recordings | 24 hours (transcribed then deleted) | Auto-deleted |
| Profile Data | Until account deletion | Can update anytime |
| Account Data (after deletion request) | 30 days (grace period for recovery) | Can cancel deletion |
| Anonymized Analytics | Indefinite (cannot identify you) | Opt-out available |
Your Data Rights (DPDP Act 2023)
Export Your Data
Download a complete copy of all your data in JSON or CSV format
Includes: Profile, mood entries, chat history, journal entries, exercise completions, and assessments
Format: JSON (machine-readable) or CSV (Excel-compatible)
Timeline: Instant download or emailed within 24 hours for large datasets
Delete Your Account
Permanently delete all your data with a 30-day grace period
What happens: Account deactivated immediately, data deleted after 30 days
Grace period: 30 days to cancel deletion and restore your account
Permanent deletion: After 30 days, all data is irrecoverably deleted
Access & Correct Data
View and update your profile information anytime
What you can update: Name, email, age, gender, language, preferences
Email changes: Require verification for security
Timeline: Changes apply immediately
Withdraw Consent
Opt-out of analytics tracking or marketing emails
Analytics: Disable Google Analytics and Clarity tracking
Marketing: Unsubscribe from promotional emails
Effect: Changes apply within 24 hours
Your Rights Are Our Priority
We are actively building data export and consent management features to fully support your DPDP Act rights. Until then, you can email sattyamjain96@mannsetu.com to manually request data export or consent changes. We will respond within 72 hours.
Third-Party Data Sharing
Who Has Access to Your Data?
We NEVER Sell Your Data
MannSetu will never sell, rent, or trade your personal or mental health data to advertisers, data brokers, or third parties. Your trust is more valuable than revenue.
Limited Third-Party Services (with your consent)
- Analytics:Google Analytics, Microsoft Clarity - Anonymized usage data to improve user experience (you can opt-out)
- Payments:Razorpay / Stripe - PCI-DSS compliant payment processing (we don't store card details)
- Cloud:AWS / Azure - India-based data centers for hosting (encrypted storage)
- Email:SMTP Provider - Transactional emails (account verification, notifications)
Additional Security Measures
Regular Security Audits
Quarterly penetration testing and vulnerability scans
Database Backups
Daily encrypted backups with 30-day retention
Access Logs
All data access logged and monitored for 1 year
Incident Response
24-hour breach notification to DPB and affected users
Employee Training
Mandatory data privacy training for all team members
Data Minimization
We only collect data essential for service delivery
Legal Compliance
DPDP Act 2023
- Data Fiduciary registered
- Consent management (In Progress)
- Data export (In Progress)
- Breach notification protocol
IT Rules 2021
- Grievance Officer (India-based)
- 24hr acknowledgment
- 15-day resolution
- SPDI protection
Mental Healthcare Act 2017
- Crisis escalation protocols
- "Not a substitute" disclaimers
- Confidentiality standards
- Professional referral system
DPDP Act 2023 Compliance In Progress
We are actively building data export and consent management features to fully comply with the Digital Personal Data Protection Act 2023. Expected availability: Q1 2026.
Learn More About Data Security
Policy Documents
Questions About Your Data?
Contact our Grievance Officer under DPDP Act 2023 for any data-related inquiries