Back to isharey
Privacy Policy
1. Introduction
isharey ("we", "us", "our", "the Company") is firmly committed to safeguarding your privacy and protecting your personal data. This Privacy Policy sets forth the manner in which we collect, use, store, process, share, and protect your information when you access or use our automated safety check-in service ("Service").
This Policy is drafted and enforced in strict compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDPA) of India.
By accessing, registering on, or using isharey in any capacity, you expressly and unequivocally consent to the collection, processing, and use of your data as described herein. If you do not agree to any provision of this Privacy Policy, you must immediately cease all use of the Service.
2. Data We Collect
We adhere to the principle of data minimization and collect only such data as is strictly necessary to operate and deliver the Service. The following constitutes an exhaustive breakdown of all data collected:
2.1 Information You Directly Provide
| Data | Purpose | Required? |
|---|---|---|
| Mobile phone number | Account creation, OTP-based authentication, WhatsApp check-in message delivery | Yes |
| Email address | Account creation, OTP-based authentication, account recovery, service notifications | Yes |
| First & last name | Profile identification, emergency contact alert messages | Yes |
| Date of birth | Cryptographic key derivation for defense-in-depth encryption, emergency contact verification (your emergency contacts must enter your date of birth — not their own — to access your emergency information) | Yes |
| Country | Service localization, phone number normalization, regulatory compliance | Yes |
| Emergency contact phone numbers | Dispatching emergency alerts when you fail to respond to check-ins (up to 7 contacts depending on plan) | Yes (minimum 1) |
| Custom emergency message | Displayed to verified emergency contacts during alerts (minimum 10 characters; stored in encrypted form only — never shared with third parties in plaintext) | Yes |
2.2 Information Collected Automatically
| Data | Purpose | Retention |
|---|---|---|
| IP address | Security enforcement, fraud prevention, rate limiting, anomaly detection, IP blacklisting | Security logs: 90 days |
| User agent (browser/device info) | Session management, security monitoring, automated bot detection | Session duration |
| Login timestamps | Security auditing, account activity monitoring, anomaly detection | Account lifetime |
| Check-in response status | Tracking whether you acknowledged check-in messages, triggering reminders and emergency protocols | Account lifetime |
| Configuration change logs | Immutable audit trail for all account and service configuration changes | Account lifetime |
| Security events | Recording failed login attempts, rate limit violations, anomalous activity patterns, IP blacklist events | 90 days |
2.3 Payment Information
All payment processing is handled exclusively by our PCI-DSS compliant third-party payment processor, Razorpay. We store only the following non-sensitive payment metadata:
- Razorpay subscription identifier and payment status
- Selected plan and subscription period
- Subscription activation and expiry dates
We do NOT store, process, or have access to your credit/debit card numbers, UPI IDs, net banking credentials, bank account details, or CVV/CVC codes at any time. All payment card data is processed and stored exclusively by Razorpay under PCI-DSS Level 1 compliance.
2.4 Data We Explicitly Do NOT Collect
isharey does not collect, request, or process any of the following:
- Passwords (we use exclusively OTP-based passwordless authentication)
- Real-time location, GPS coordinates, or geolocation data
- Contacts, photos, or files from your device's storage
- Social media profiles, accounts, or activity
- Biometric data (fingerprints, facial recognition, voiceprints)
- Browsing history, search queries, or activity outside our Service
- Device identifiers (IMEI, advertising ID, hardware serial numbers)
3. How We Use Your Data
Your personal data is processed strictly and exclusively for the following lawful purposes:
- Service Delivery: Dispatching scheduled check-in messages, follow-up reminders, and emergency alerts to you and your designated emergency contacts via WhatsApp.
- Authentication & Identity Verification: Verifying your identity through one-time passwords (OTP) during login via WhatsApp or email.
- Cryptographic Key Derivation: Utilizing your date of birth as one component of the composite encryption key material — alongside a server-side master secret — to secure your personal data using AES-256-GCM with PBKDF2 key derivation (100,000 iterations, SHA-256).
- Emergency Contact Verification: Enabling your designated emergency contacts to verify their access by entering your date of birth (the subscriber's date of birth, not the contact's own) before accessing time-limited, encrypted emergency information via a secure link.
- Security & Fraud Prevention: Detecting and preventing unauthorized access, fraud, and abuse through IP monitoring, progressive rate limiting, anomaly detection, IP blacklisting, and automated bot detection.
- Account & Subscription Management: Managing your subscription lifecycle, plan configuration, payment status, and service preferences.
- Service Communications: Sending strictly service-related notifications including plan changes, subscription renewals, security alerts, and critical service updates.
- Legal & Regulatory Compliance: Fulfilling legal, regulatory, and law enforcement obligations as mandated by applicable Indian law.
We categorically do NOT use your data for advertising, marketing, behavioral profiling, data mining, automated decision-making, sale to third parties, or any purpose not explicitly stated in this Policy.
4. Data Encryption & Security
4.1 Defense-in-Depth Encryption Architecture
isharey employs a robust defense-in-depth encryption architecture to protect your sensitive personal data at rest. All personally identifiable information (PII) — including phone numbers, email addresses, and custom messages — is encrypted before storage using the following cryptographic specifications:
- Cipher: AES-256-GCM (Advanced Encryption Standard, 256-bit key length, Galois/Counter Mode) providing both confidentiality and authenticated integrity.
- Key Derivation: PBKDF2 with 100,000 iterations using SHA-256, deriving a 32-byte (256-bit) key from a composite key material comprising your user ID, phone number, date of birth, a unique per-user cryptographic salt, and a server-side master secret.
- Per-Record Encryption: Each encrypted field is protected with its own randomly generated 16-byte initialization vector (IV) and a 128-bit GCM authentication tag, ensuring that identical plaintext values produce distinct ciphertext.
- Key Versioning & Rotation: Encryption keys are automatically rotated when your date of birth or phone number changes. Previous keys are deprecated but retained to ensure continuity of access to historical encrypted data.
- Key Verification: Derived keys are verified using bcrypt (10 rounds) to ensure key integrity without storing the raw key material.
This architecture ensures that a database breach alone is insufficient to recover your encrypted data — an attacker would additionally require access to the server-side master secret, which is stored separately in a dedicated secrets management service with strict access controls.
4.2 Comprehensive Security Measures
We implement defence-in-depth security measures to protect your data at every layer:
- Transport Encryption: All data in transit is encrypted using TLS 1.2+ / HTTPS. Plaintext HTTP connections are strictly prohibited.
- OTP Rate Limiting: Maximum 3 OTP requests per hour per phone number; maximum 3 failed OTP verification attempts per hour per IP:phone combination, with automatic 60-minute lockout upon exceeding limits.
- IP-Based Rate Limiting: Maximum 15 requests per 5-minute window per IP address with progressive response delays (2s, 5s, 10s). Exceeding limits triggers automatic 24-hour IP blacklisting.
- Anomaly Detection: Real-time detection of suspicious patterns including phone number cycling (>5 different phones from same IP in 5 minutes), automated request patterns, and suspicious user agents.
- Bot Protection: Cloudflare Turnstile challenge-response verification to prevent automated abuse of authentication endpoints.
- Session Security: HTTP-only, Secure, SameSite=Lax cookies (
isharey_sid) with configurable expiry (default 30 days). Sessions are database-backed and automatically purged upon expiry. - Security Headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy enforced via Helmet.js.
- Webhook Integrity: HMAC-SHA256 signature verification with constant-time comparison for all incoming third-party webhooks, preventing tampering and replay attacks.
- Emergency Verification Security: Maximum 3 failed date-of-birth verification attempts per emergency token per hour, with timing-safe comparison to prevent side-channel attacks.
4.3 Incident Response Protocol
In the event of a confirmed or suspected data breach, isharey shall execute the following incident response protocol without delay:
- Immediate investigation, containment, and remediation of the breach.
- Notification to all affected users via WhatsApp and/or email within 72 hours of breach confirmation.
- Mandatory reporting to the Indian Computer Emergency Response Team (CERT-In) and any other relevant authorities as required under the Information Technology Act, 2000 and the DPDPA, 2023.
- Implementation of corrective and preventive measures to eliminate the root cause and prevent recurrence.
- Provision of a detailed post-incident report to affected users upon request.
5. Data Sharing & Third Parties
5.1 Authorized Third-Party Service Providers
We share strictly limited data with the following third-party service providers solely and exclusively to operate the Service. No data is shared beyond what is technically necessary for each provider's function:
| Provider | Purpose | Data Shared |
|---|---|---|
| MSG91 (WhatsApp & Email API) | Delivering check-in messages, reminders, emergency alert links, and OTP verification via WhatsApp and email | Phone number, email address, and pre-approved template parameters only. Your custom emergency message is never transmitted to MSG91 — emergency contacts receive only a secure, time-limited link and must enter the subscriber's date of birth to decrypt and view the message on our servers. |
| Razorpay | Subscription payment processing and recurring billing | Payment details (processed exclusively by Razorpay; never stored on our servers) |
| Amazon Web Services (AWS) | Cloud infrastructure: database hosting (RDS), compute (ECS Fargate), job queue (SQS), secrets management (Secrets Manager), application logging (CloudWatch), log archival (S3) | All data stored and processed by isharey resides on AWS infrastructure in the Asia Pacific (Mumbai) region (ap-south-1) |
| Cloudflare | Bot protection (Turnstile challenge-response verification on authentication forms) | IP address, browser metadata (processed transiently during verification; not stored by isharey) |
Each provider is contractually obligated to process your data solely for the specified purposes, in compliance with applicable data protection laws, and subject to appropriate confidentiality and security obligations.
5.2 Absolute Prohibitions
isharey unconditionally and irrevocably commits to the following:
- We shall never sell your personal data to any person, entity, or organization, under any circumstances.
- We shall never share your data with advertisers, data brokers, marketing agencies, or any commercial third party.
- We shall never use your data for targeted advertising, behavioral profiling, cross-site tracking, or algorithmic recommendation systems.
- We shall never transfer your data to any entity not explicitly listed above without your prior written consent or a valid legal order.
5.3 Legally Compelled Disclosure
We may disclose your personal data solely when compelled by a valid court order, subpoena, government directive, or other binding legal process under applicable Indian law, or where necessary to protect the rights, safety, or property of isharey, our users, or the public. We shall make reasonable efforts to notify you of such disclosure unless prohibited by law.
6. Data Retention
We retain your personal data only for the minimum duration necessary to fulfil the purposes described in this Policy or as required by applicable law. The following table sets forth our data retention schedule:
| Data Type | Retention Period |
|---|---|
| Account data (name, phone, DOB, email, country) | Until account deletion |
| Emergency contact phone numbers | Until account deletion or contact removal |
| Check-in history & response status | Until account deletion |
| Configuration audit logs | Until account deletion |
| Encryption keys (deprecated versions) | Until account deletion |
| Security event logs (IP, anomaly events, blacklist records) | 90 days |
| OTP records | 24 hours |
| Session data | 30 days or until session expiry/logout (whichever is earlier) |
| Payment records & subscription history | As mandated by Indian tax and financial regulations |
Upon account deletion, all your personal data is permanently, irreversibly, and completely purged from our systems in a single atomic transaction. This includes all encrypted data, encryption keys, session records, security events, check-in history, emergency contact records, payment metadata, and configuration logs. This action cannot be undone.
7. Your Rights
Under the Digital Personal Data Protection Act, 2023 (DPDPA) and all applicable data protection laws, you are entitled to exercise the following rights:
7.1 Right to Access
You have the right to request a comprehensive summary of all personal data we hold about you, the purposes for which it is processed, and the categories of third parties with whom it has been shared.
7.2 Right to Correction
You have the right to update, correct, or complete any inaccurate or incomplete personal information at any time through your account settings (profile page). Changes to phone number or date of birth automatically trigger encryption key rotation to maintain data security.
7.3 Right to Erasure (Right to Be Forgotten)
You have the right to request complete and permanent deletion of your account and all associated personal data. This requires explicit confirmation by typing "DELETE MY ACCOUNT". Upon deletion:
- All personal data is permanently and irreversibly purged from all systems and databases.
- All encryption keys are destroyed, rendering any residual encrypted data permanently unrecoverable.
- All active sessions are immediately terminated.
- Emergency contacts will permanently cease to receive alerts on your behalf.
- Active Razorpay subscriptions are cancelled (no refund shall be issued).
- All pending jobs, notifications, and scheduled check-ins are cancelled.
7.4 Right to Withdraw Consent
You may withdraw your consent to data processing at any time by deleting your account. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.
7.5 Right to Grievance Redressal
If you have any complaint, concern, or grievance regarding the processing of your personal data, you may contact our designated Grievance Officer (see Section 12). If your grievance remains unresolved to your satisfaction, you have the right to file a complaint with the Data Protection Board of India as established under the DPDPA, 2023.
7.6 Right to Nominate
Under the DPDPA, 2023, you have the right to nominate another individual to exercise your data protection rights in the event of your death or incapacity. Such nomination may be made by contacting us at the address provided in Section 12.
8. Cookies & Tracking
8.1 Cookies We Use
isharey uses only a single essential cookie required for the Service to function. No optional, analytics, or third-party cookies are used:
| Cookie | Purpose | Attributes | Duration |
|---|---|---|---|
isharey_sid |
Session authentication | HttpOnly, Secure, SameSite=Lax | 30 days or until logout |
8.2 Technologies We Explicitly Do NOT Use
isharey does not employ and shall not employ any of the following tracking technologies:
- Analytics cookies or scripts (Google Analytics, Mixpanel, Hotjar, or any equivalent)
- Advertising, retargeting, or tracking cookies of any kind
- Third-party cookies for marketing, profiling, or behavioural analysis
- Pixel trackers, web beacons, clear GIFs, or tracking pixels
- Browser fingerprinting, canvas fingerprinting, or cross-site tracking mechanisms
- Local storage or IndexedDB for tracking purposes
9. Data Storage & Transfer
9.1 Storage Location
Your data is stored on secure, access-controlled servers with database-level encryption. We implement reasonable and industry-standard technical and organizational measures to ensure the security, integrity, and availability of our infrastructure.
9.2 International Transfers
In the event that your data is transferred outside the territory of India for processing through any third-party service provider, we shall ensure that adequate and appropriate safeguards are in place as mandated under the DPDPA, 2023 and applicable regulations. Such transfers shall occur only to jurisdictions that provide an adequate level of data protection or under binding contractual clauses that guarantee equivalent protection. You shall be notified of any material change in the jurisdictions where your data is processed.
10. Children's Privacy
isharey is not intended for use by individuals under the age of 13 years. Users between the ages of 13 and 18 may use the Service only with verifiable consent from a parent or legal guardian, in accordance with the DPDPA, 2023.
We do not knowingly collect, solicit, or process personal data from children under 13 years of age. If we become aware that personal data of a child under 13 has been collected without appropriate parental consent, we shall immediately and permanently delete all such data from our systems without notice.
If you believe that a child under 13 has provided us with personal data, please contact us immediately at privacy@isharey.in.
11. Changes to This Policy
We reserve the right to amend, modify, or update this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or operational needs. When we make material changes:
- We shall update the "Last updated" date at the top of this page.
- We shall notify you of significant changes via WhatsApp or email prior to such changes taking effect.
- Continued use of the Service after the effective date of any changes shall constitute your acceptance of and consent to the updated Policy.
- If you do not agree to the updated Policy, you must discontinue use of the Service and may request account deletion.
We strongly encourage you to review this Policy periodically to remain informed about how we protect your data.
12. Grievance Officer & Contact
In accordance with the Information Technology Act, 2000, the IT Rules, 2011, and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to address your concerns regarding data privacy and protection:
- Designation: Grievance Officer, isharey
- Email: privacy@isharey.in
- Acknowledgement: Within 24 hours of receipt
- Resolution: Within 30 days of receipt, in compliance with statutory requirements
For general privacy inquiries, data-related requests, or any other concerns:
- Email: privacy@isharey.in
- Website: https://isharey.in
13. Consent
By creating an account on, accessing, or using isharey in any manner, you hereby expressly and unequivocally consent to the following:
- The collection, processing, storage, and protection of your personal data as described in this Privacy Policy.
- Receiving WhatsApp messages for check-ins, follow-up reminders, emergency alerts, and essential service notifications.
- Your date of birth being utilized as one component of the cryptographic key material — alongside a server-side master secret — to encrypt and protect your sensitive personal data.
- Your designated emergency contacts receiving alert messages and time-limited secure emergency links via WhatsApp in the event of your unresponsiveness.
- Limited and strictly necessary data sharing with the third-party service providers identified in Section 5 of this Policy.
You may withdraw consent at any time by deleting your account, which shall result in the permanent, irreversible, and complete deletion of all your personal data from our systems.