Privacy Policy

1. Data Fiduciary Information

Under the DPDP Act, 2023, Suraksha Technologies LLP acts as the “Data Fiduciary” responsible for the processing of your personal data:

2. Personal Data We Collect

We collect the following categories of personal data, each for a specified and lawful purpose:

2.1 Identity Data: Full name, age, gender, email address, phone number. Purpose: Account creation, authentication, and communication.

2.2 Medical Data: Blood group, medical conditions, allergies. Purpose: Display on the emergency QR scan page to assist bystanders during medical emergencies. This data is classified as sensitive personal data under Rule 3 of the IT (Sensitive Personal Data) Rules, 2011.

2.3 Emergency Contact Data: Names, phone numbers, and relationship of up to two emergency contacts. Purpose: Enabling masked calling during emergencies.

2.4 Address & Location Data: Delivery address (street, city, state, pincode) and GPS coordinates (optional, only if you consent to location services). Purpose: Sticker delivery and emergency location sharing.

2.5 Payment Data: Transaction ID, order ID, payment status. Purpose: Payment verification and subscription management. Note: Credit/debit card numbers and bank details are NOT collected or stored by RESCUQR. All payment processing is handled by Razorpay, which is PCI-DSS compliant and authorised by the Reserve Bank of India (RBI).

2.6 Scan Data: When your QR code is scanned, we log the scan timestamp, approximate GPS location of the scanner (if available), and the scanner’s device type. Purpose: Scan analytics and emergency location sharing with your contacts.

2.7 Technical Data: IP address, browser type, device information. Purpose: Security, fraud prevention, and service improvement.

3. Lawful Basis for Processing (DPDP Act, Section 4)

We process your personal data on the following lawful bases:

(a) Consent (Section 6): You provide explicit, informed, specific, and freely given consent when you create your account and fill in your medical profile. Your consent is obtained through a clear affirmative action (checking the consent checkbox during signup).

(b) Certain Legitimate Uses (Section 7): Processing necessary for compliance with legal obligations, for responding to medical emergencies (where the data is processed to protect the vital interests of the Data Principal), and for performing obligations under a contract (providing the subscription service you have paid for).

4. Consent Management

(a) Consent is obtained at the time of account creation through a clear, unbundled, and specific consent mechanism as required by Section 6 of the DPDP Act.

(b) The purpose of data collection is communicated in plain language before consent is obtained.

(c) You may withdraw your consent at any time by using the “Erase My Data” function on your profile page or by emailing support@surakshaapp.in. Upon withdrawal of consent, your account will be deactivated and all personal data will be deleted within 30 days.

(d) Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5. Data Visibility Controls

RESCUQR provides granular privacy controls that allow you to decide which information is displayed when your QR code is scanned. You may toggle the visibility of your name, age, gender, blood group, medical conditions, and allergies independently. Emergency contact call buttons are always displayed as they are essential to the core safety function of the service.

6. Data Sharing & Third-Party Processors

We do not sell, rent, or trade your personal data. Your data may be shared with the following categories of Data Processors, strictly for the purposes specified:

(a) Supabase Inc. (Database hosting): Stores your encrypted profile and medical data on servers. Data is stored with encryption at rest.

(b) Razorpay Software Pvt. Ltd. (Payment processing): Processes your payment transactions. RBI-authorised, PCI-DSS compliant.

(c) Twilio Inc. (Telephony): Facilitates masked emergency calls. Phone numbers are routed through Twilio’s proxy service and are not exposed to either party.

(d) Vercel Inc. (Website hosting): Hosts the RESCUQR website. No personal data is stored on Vercel servers; it serves as a front-end delivery platform.

(e) Law Enforcement: We may disclose your data if required by law, court order, or government directive under applicable Indian law, including under Section 69 of the IT Act, 2000.

7. Data Storage & Security

We implement reasonable security practices and procedures as mandated by the IT (Reasonable Security Practices) Rules, 2011:

(a) All data is stored with encryption at rest on Supabase’s PostgreSQL database.

(b) All API communications use HTTPS/TLS encryption in transit.

(c) Row Level Security (RLS) policies ensure users can only access their own data.

(d) Server-side authentication is required for all data access endpoints.

(e) API routes handling sensitive data (export, delete, call) verify the authenticated user’s identity before processing.

(f) Rate limiting is implemented on the masked calling feature (3 calls per contact per hour) to prevent abuse.

(g) Service role keys and API secrets are stored as environment variables and never exposed to client-side code.

8. Data Retention

(a) Your personal data is retained for the duration of your active subscription.

(b) After subscription expiry without renewal, data is retained for 90 days to allow for renewal, after which it may be deleted.

(c) Upon account deletion or data erasure request, all personal data is permanently deleted within 30 days.

(d) Anonymised and aggregated scan analytics (with no personally identifiable information) may be retained indefinitely for service improvement purposes.

(e) Payment transaction records may be retained for up to 7 years as required under Indian tax and accounting laws (Income Tax Act, 1961 and GST Act, 2017).

9. Your Rights as Data Principal (DPDP Act, Section 11-14)

Under the DPDP Act, 2023, you have the following rights:

(a) Right to Access (Section 11): You may request a summary of your personal data being processed and the processing activities. This can be exercised via the “Download My Data” button on your profile page.

(b) Right to Correction & Erasure (Section 12): You may correct inaccurate data through your profile page, or request complete erasure of your data via the “Erase My Data” button. Upon erasure, your QR code will be deactivated permanently.

(c) Right to Grievance Redressal (Section 13): You may raise a grievance with our Data Protection Officer. Details in Section 12 below.

(d) Right to Nominate (Section 14): You may nominate another person to exercise your rights in the event of your death or incapacity. To do so, email support@surakshaapp.in with your nomination details.

10. Children’s Data

In accordance with Section 9 of the DPDP Act, 2023, we do not knowingly collect personal data from children (persons under 18 years of age) without verifiable consent from a parent or lawful guardian. If you are creating a profile for a minor, you represent that you are the parent or guardian and you consent on the child’s behalf.

11. Data Breach Notification

In the event of a personal data breach, we will: (a) notify the Data Protection Board of India as required under the DPDP Act, 2023; (b) notify affected Data Principals without unreasonable delay; and (c) take immediate steps to mitigate the breach and prevent recurrence.

12. Grievance Officer / Data Protection Officer

13. Cross-Border Data Transfer

Your data may be processed by third-party service providers (Supabase, Twilio, Vercel) whose servers may be located outside India. Such transfers are conducted in compliance with Section 16 of the DPDP Act, 2023, and only to countries or territories not restricted by the Central Government of India. We ensure that all such processors maintain adequate data protection standards.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or a notice on the platform at least 15 days before they take effect. The “Last updated” date at the top indicates the most recent revision.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts in Hyderabad, Telangana, India.