Privacy Policy

Tveshi ("we," "us," or "our") operates the Tveshi mobile application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you consent to the practices described herein.

1. Information We Collect

1.1 Information You Provide

• Account Data: Phone number (for OTP verification), email address, display name, and profile information.
• Authentication Data: Credentials from third-party sign-in providers (Google, Apple) — we receive only your name, email, and provider user ID; we never receive or store your third-party password.
• Chat Data: Messages you send within chat sessions, including your questions and the AI-generated responses.
• Payment Data: Subscription and transaction records. Payment card details and UPI information are processed directly by Razorpay and are never stored on our servers.
• Support Communications: Emails or messages you send to our support channels.

1.2 Information Collected Automatically

• Device Information: Device type, operating system, app version, and unique device identifiers.
• Usage Data: Role selections, session timestamps, feature interactions, and crash reports.
• Log Data: IP address, browser type, access times, and referring URLs (for the website).

1.3 Information We Do NOT Collect

We do not collect location data, contacts, photos, microphone audio, or any data from other apps on your device.

2. How We Use Your Information

• To create, maintain, and secure your account.
• To provide AI-generated responses to your queries via our expert role system.
• To process payments and manage subscriptions.
• To maintain chat history so you can revisit past conversations.
• To send transactional communications (OTPs, payment receipts, account alerts).
• To improve, debug, and optimize the Service.
• To enforce our Terms of Service and comply with legal obligations.

We do not use your data for targeted advertising. We do not sell, rent, or trade your personal information to third parties.

3. Legal Bases for Processing (GDPR / Global)

If you are located in the European Economic Area (EEA), United Kingdom, or a jurisdiction with similar data protection laws, we process your data under the following legal bases:

• Contract: Processing necessary to provide the Service you signed up for.
• Consent: Where you have given explicit consent (e.g., marketing communications).
• Legitimate Interest: To improve and secure the Service, prevent fraud, and conduct analytics.
• Legal Obligation: To comply with applicable laws and regulations.

4. Data Sharing and Third-Party Services

We share your data only with the following categories of third-party service providers, solely to operate the Service:

• Anthropic (Claude API): Your chat messages are sent to Anthropic's API to generate AI responses. Anthropic's data handling is governed by their privacy policy and data processing terms.
• Razorpay: Payment processing. Razorpay is PCI-DSS compliant and processes all payment data directly.
• MSG91: SMS OTP delivery for Indian phone numbers.
• Resend: Email OTP delivery and transactional emails.
• Cloud Infrastructure (AWS): Hosting and data storage with encryption at rest and in transit.

We may also disclose information if required by law, court order, or governmental authority, or to protect the rights, safety, or property of Tveshi, our users, or the public.

5. Data Retention

• Account Data: Retained for the lifetime of your account. Deleted within 30 days of account deletion.
• Chat Data: Retained until you delete individual sessions or your entire account.
• Payment Records: Retained for 7 years as required by Indian tax and financial regulations.
• Log Data: Retained for up to 90 days for security and debugging purposes.

6. Data Security

We employ industry-standard security measures including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Secure authentication with JWT tokens and Ed25519 signing.
• Rate limiting and brute-force protection on all endpoints.
• Regular security audits and dependency updates.

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data.
• Data Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request restriction of processing under certain conditions.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, withdraw at any time.

To exercise any of these rights, contact us at support@tveshi.com. We will respond within 30 days (or the period required by your local law).

8. International Data Transfers

Our servers are located in India (AWS ap-south-1). If you access the Service from outside India, your data will be transferred to and processed in India. We ensure appropriate safeguards are in place for international transfers, including compliance with applicable data protection frameworks.

9. Children's Privacy

The Service is not directed at children under the age of 16 (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. Cookies and Tracking (Website)

Our website uses only essential cookies required for functionality (e.g., session management). We do not use advertising cookies, tracking pixels, or third-party analytics that profile users across websites.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or email at least 15 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Jurisdiction-Specific Provisions

For users in the European Economic Area (EEA) and United Kingdom

We process data in accordance with the General Data Protection Regulation (GDPR) and the UK GDPR. You may lodge a complaint with your local supervisory authority.

For users in California (USA)

Under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

For users in India

We comply with the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology Act, 2000. You may exercise your rights as a Data Principal under the DPDPA by contacting us.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices:

• Email: support@tveshi.com
• Grievance Officer (India): support@tveshi.com