Privacy Policy

Who we are

This Privacy Policy applies to pramaan.me and the recipient sign-up page at issue.pramaan.me. Both are operated by:

For data collected through the recipient sign-up page, the Organizer who configured the event is the data fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act); we act as the data processor on their instruction. For data collected through the Organizer signup — account, payment, billing — we are the data fiduciary.

What we collect

From Organizers (you, on signup):

• Account data — full name, work email, organisation name, optional phone.
• Payment data — billing name, address, GSTIN (where applicable), and a payment-method token from our payment processor (we do not store full card numbers).
• Brand assets — logos, signatures, and certificate templates you upload.
• Activity data — events you create, certificates you issue, dashboard actions, and audit logs.

From Recipients (people who self-issue against your event code):

• Identity — full name and email (always). Phone, photo, custom fields if the event requires them.
• Certificate data — the certificate document, its SHA-256 hash, the issuing IP address, the time of issuance, and a list of subsequent verifications (IP + time, no PII).
• Magic link tokens — short-lived tokens that let recipients re-download their certificate without an account.

Automatic data (everyone who touches our service):

• IP address, user-agent string, approximate geo (country + state), and timestamps.
• Crash and error logs (stack traces, with PII redacted).
• A first-party analytics cookie that counts daily-active organisers; no third-party trackers in v1.

Why we collect it

• To run the service — render certificates, send magic-link emails, support the verification page.
• To bill you — only for Organizers on paid plans.
• To prevent abuse — rate-limit attempts to brute-force event codes, detect bulk fraud.
• To investigate forgery reports — we use issuance IP and audit logs to confirm whether a disputed certificate is genuine.
• To support you — we'll use the email you signed up with to reply to support tickets and to send essential service notices.

We do not use your data — or recipients' data — for behavioural advertising, profile-building, AI model training, or resale.

Legal basis

Under the DPDP Act, 2023, we process personal data on these bases:

• Consent (Section 6) — for recipient identity data (name, email, photo) submitted through the recipient sign-up page. The Organizer presents a consent notice to the recipient at the point of data collection; we technically enforce the notice (an "Issue my certificate" button cannot be tapped without a "I agree" checkbox in v1.1).
• Performance of contract — for Organizer account, billing, and the issuance of certificates you requested.
• Legitimate use (Section 7) — for fraud prevention, abuse rate-limiting, and security logging.
• Compliance with law — where applicable, to retain financial records for the period required by the Income-tax Act, 1961, and to honour legitimate law-enforcement requests.

Who we share with

We share personal data with a small number of vetted service providers (subprocessors). Each is contractually bound to use the data only for the purpose we engage them for. Our current subprocessors:

That is the complete current list. If we add a subprocessor — for example error-monitoring (Sentry-equivalent), SMS / WhatsApp delivery, or analytics — we will update this page within 14 days, and Organizers will be notified by email at least 30 days before any subprocessor that processes Organizer or Recipient personal data starts doing so.

We do not share personal data with advertising networks, data brokers, or for any commercial purpose other than running the service. We may disclose data when compelled by valid Indian legal process; we will notify you of any such request unless prohibited by law.

How long we keep it

• Organizer account — while your account is active. Closed accounts are deleted within 30 days, except for invoice records (retained for 8 years per the Income-tax Act, 1961).
• Certificate data — indefinitely while you maintain the account that issued it, so the Verification URL stays live. On account closure, you can choose to (a) export and revoke all certificates, or (b) keep them verifiable under a read-only successor account. The default is (b) for one year, then archival.
• Magic-link tokens — 90 days.
• Audit logs — 18 months from generation, then aggregated to non-PII analytics.
• Backups — encrypted, retained for 30 days before rolling deletion.

How we protect it

• In transit — all traffic is TLS 1.3.
• At rest — AWS-managed AES-256 encryption on DynamoDB and S3.
• Access — MFA on root and operator AWS accounts; per-Lambda IAM least-privilege; secrets in AWS Secrets Manager, never in source. Production access is logged in CloudTrail and CloudWatch.
• Hashing — certificate integrity is enforced by SHA-256 hash; volunteer authentication is Cognito-managed (passwords never visible to us); magic-link tokens are short-lived opaque IDs in DynamoDB, never persisted in plaintext on the client.
• Pen-testing — we will commission a third-party penetration test before our first enterprise customer onboarding. Until then, we rely on internal review, AWS-managed runtime patching, and the auditability built into every action through the certificate audit log.

Your rights

Under the DPDP Act, 2023, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — subject to our retention obligations (e.g. tax records).
• Withdraw consent previously given. Withdrawal doesn't affect processing done before withdrawal.
• Nominate another individual to exercise your rights in case of death or incapacity (Section 14).
• Grievance redressal — raise a complaint with our Grievance Officer (see section 12), and if unresolved within 15 days, escalate to the Data Protection Board of India.

To exercise any of these rights, email founders@hawklogicsystems.com. We respond within 7 working days and complete most requests within 15. For high-volume requests we may ask for ID verification.

For recipients — if you're a recipient and want to exercise your rights, you can email us directly, but for fastest response you should also contact the Organizer who issued your certificate; they are the data fiduciary for your recipient data and may need to authorise the action.

Cookies & tracking

We use the minimum cookies needed to run the service:

• Session cookie — keeps Organizers signed in (HttpOnly, Secure, SameSite=Lax).
• CSRF token — protects against cross-site request forgery.
• First-party analytics cookie — counts unique daily-active organisers. No cross-site tracking. No fingerprinting.

The recipient sign-up page sets no cookies. The verification page sets no cookies. We do not embed third-party trackers, advertising pixels, or social-media widgets.

Children

Organizer accounts require the account-holder to be at least 18 years old. The recipient sign-up page may be used by minors, but only if the Organizer has obtained verifiable parental consent before issuing the event code to them.

We do not knowingly collect data from children under 13. If you believe we have, email founders@hawklogicsystems.com and we'll delete it.

Cross-border transfer

We host all primary data in Mumbai (AWS ap-south-1). Our current subprocessors (AWS, Dodo Payments) are India-based, so no cross-border transfer of personal data happens in v1. If we add a subprocessor outside India in future, we will (a) update the subprocessors list in section 5, (b) notify Organizers at least 30 days in advance, and (c) execute a data-processing agreement compliant with the DPDP Act, 2023 before any personal data flows.

The Indian government may, under Section 16 of the DPDP Act, notify a list of countries to which personal data may not be transferred. If a country housing a subprocessor is added to that list, we will migrate the data to an India-based alternative within 90 days.

Grievance officer

Per the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, we publish the following Grievance Officer details:

For full grievance redressal procedure — including escalation to the Data Protection Board — see the Grievance Redressal page.

Changes to this policy

We may update this policy as the service evolves and as Indian privacy law develops. Material changes (e.g. new categories of data collected, new purposes, new subprocessors in non-adequate jurisdictions) will be announced via email to Organizers at least 30 days before they take effect.

The current version, an archive of older versions, and a plain-English changelog are kept at pramaan.me/legal/privacy.