Trust & Data Practices
Transparency in how we collect, store, protect, and let you control your data
Data Residency: Your Data Stays in India
Where Your Data Lives
Cloud Provider:
AWS (Amazon Web Services) or Microsoft Azure with India-based data centers
Physical Location:
Mumbai & Hyderabad (AWS) or Pune, Chennai & Mumbai (Azure)
Compliance:
Meets India's data localization requirements
Why India Hosting Matters
- Data Sovereignty: Your data is subject to Indian laws, not foreign jurisdictions
- Low Latency: Faster response times for seamless conversations
- Trust & Transparency: We choose India hosting even though it's not legally mandated
Note: While the DPDP Act 2023 doesn't mandate data localization for all data types, we voluntarily choose India hosting to build trust with our Indian users and ensure data sovereignty.
Encryption & Security
Data at Rest
All stored data is encrypted using industry-standard AES-256 encryption
• Database: Encrypted volumes
• File storage: Encrypted buckets
• Backups: Encrypted snapshots
Data in Transit
All communications use TLS 1.3 encryption (HTTPS)
• Website: HTTPS only
• API calls: TLS 1.3
• No insecure HTTP connections
Access Control
Role-based permissions and multi-factor authentication
• MFA for admin access
• Least privilege principle
• Regular access audits
Data Retention Policy
| Data Type | Retention Period | User Control |
|---|---|---|
| Chat History | 90 days (auto-delete after) | Can delete anytime |
| Mood Entries | Until account deletion | Can delete individual entries |
| Journal Entries | Until user deletes | Full control |
| Voice Recordings | 24 hours (transcribed then deleted) | Auto-deleted |
| Profile Data | Until account deletion | Can update anytime |
| Account Data (after deletion request) | 30 days (grace period for recovery) | Can cancel deletion |
| Anonymized Analytics | Indefinite (cannot identify you) | Opt-out available |
Your Data Rights (DPDP Act 2023)
Export Your Data
Download a complete copy of all your data in JSON or CSV format
Includes: Profile, mood entries, chat history, journal entries, exercise completions, and assessments
Format: JSON (machine-readable) or CSV (Excel-compatible)
Timeline: Instant download or emailed within 24 hours for large datasets
Delete Your Account
Permanently delete all your data with a 30-day grace period
What happens: Account deactivated immediately, data deleted after 30 days
Grace period: 30 days to cancel deletion and restore your account
Permanent deletion: After 30 days, all data is irrecoverably deleted
Access & Correct Data
View and update your profile information anytime
What you can update: Name, email, age, gender, language, preferences
Email changes: Require verification for security
Timeline: Changes apply immediately
Withdraw Consent
Opt-out of analytics tracking or marketing emails
Analytics: Disable Google Analytics and Clarity tracking
Marketing: Unsubscribe from promotional emails
Effect: Changes apply within 24 hours
Third-Party Data Sharing
Who Has Access to Your Data?
We NEVER Sell Your Data
MannSetu will never sell, rent, or trade your personal or mental health data to advertisers, data brokers, or third parties. Your trust is more valuable than revenue.
Limited Third-Party Services (with your consent)
- Analytics:Google Analytics, Microsoft Clarity - Anonymized usage data to improve user experience (you can opt-out)
- Payments:Razorpay / Stripe - PCI-DSS compliant payment processing (we don't store card details)
- Cloud:AWS / Azure - India-based data centers for hosting (encrypted storage)
- Email:SMTP Provider - Transactional emails (account verification, notifications)
Additional Security Measures
Regular Security Audits
Quarterly penetration testing and vulnerability scans
Database Backups
Daily encrypted backups with 30-day retention
Access Logs
All data access logged and monitored for 1 year
Incident Response
24-hour breach notification to DPB and affected users
Employee Training
Mandatory data privacy training for all team members
Data Minimization
We only collect data essential for service delivery
Legal Compliance
DPDP Act 2023
- ✓ Data Fiduciary appointed
- ✓ Consent management
- ✓ User rights workflow
- ✓ Breach notification protocol
IT Rules 2021
- ✓ Grievance Officer (India-based)
- ✓ 24hr acknowledgment
- ✓ 15-day resolution
- ✓ SPDI protection
Mental Healthcare Act 2017
- ✓ Crisis escalation protocols
- ✓ "Not a substitute" disclaimers
- ✓ Confidentiality standards
- ✓ Professional referral system
Related Resources
Questions About Your Data?
Contact our Data Fiduciary (Grievance Officer) for any data-related inquiries