Chetana Privacy Policy


**Effective Date:** 17 February 2026

**Last Updated:** 17 February 2026

**Compliance:** Digital Personal Data Protection Act, 2023 (DPDP Act), Information Technology Act, 2000, IT (Reasonable Security Practices) Rules, 2011



Important Notice


**Chetana is an independent project. It is NOT a government service, NOT affiliated with NIC, MeitY, TRAI, RBI, NPCI, or any government body.**



1. Who We Are


Chetana ("we", "us", "our") is a sovereign AI-powered scam detection and digital safety tool built in India, for India. Chetana is developed and maintained by Paul Desai as an independent project.


**Data Fiduciary (as defined under DPDP Act, 2023):**

  • **Name:** Paul Desai
  • **Email:** [email protected]
  • **Grievance Officer:** Paul Desai ([email protected])
  • **Location:** Mumbai, Maharashtra, India

    • **Grievance redressal timeline:** Within 30 days of receipt of complaint, per DPDP Act S.14.



    2. What Data We Collect


    We process the following data, strictly for scam detection purposes:


    |-----------|---------|---------------------|-----------|


    Data We Do NOT Collect


  • Real names, email addresses, or postal addresses
  • Location data or GPS coordinates
  • Device identifiers, IMEI, advertising IDs, or device fingerprints
  • Biometric data (fingerprints, face data, voice prints)
  • Financial account details, bank account numbers, or credit card numbers
  • Contacts, call logs, or SMS logs
  • Browsing history or app usage data
  • Photos, videos, or media files (unless explicitly submitted for OCR scan)
  • Aadhaar numbers or PAN numbers (these may appear in submitted text but are not extracted or stored separately)
  • Cookies or tracking pixels (web UI uses localStorage only, no cookies)


    • 3. How We Process Data


    3.1 On-Device Processing

  • The primary LLM (language model) runs **locally** on our server infrastructure
  • No data is sent to OpenAI, Google, Microsoft, or any external cloud AI service
  • URL checks may query Google Safe Browsing API (see Section 9)
  • Hindi translation may use Bhashini API (see Section 9)

    • 3.2 Processing Flow

    1. User submits text → Chetana analyzes locally → Returns risk score → Stores in user session (7 days)

    2. No human reviews your submitted content

    3. No data is used to train or fine-tune AI models

    4. Aggregated, fully anonymized statistics may be computed for service improvement


    3.3 Community Verification Data

  • Phone numbers and UPI IDs reported by users are stored in aggregated databases
  • Individual reporters are not linked to specific reports after aggregation
  • A minimum of 3 independent reports is required before any data is used for flagging
  • You may report suspicious numbers/UPIs; your report is stored without personally identifying you


    • 4. Purpose Limitation (DPDP Act S.6)


    All data is processed solely for:

    1. **Scam detection** — Analyzing messages, URLs, UPI IDs, and phone numbers for fraud indicators

    2. **User experience** — Maintaining session context and language preferences

    3. **Service improvement** — Aggregate, anonymized pattern analysis only


    We will **NEVER** use your data for:

  • Advertising or marketing
  • User profiling or behavioral targeting
  • Sale, rental, or sharing with third parties
  • Training AI models on your personal data
  • Government surveillance or law enforcement (unless compelled by valid Indian court order)


    • 5. Data Minimization (DPDP Act S.4(2))


  • Only data you explicitly submit is processed
  • No background data collection
  • No access to your contacts, messages, calls, or files
  • Conversation history is capped at 50 entries per user
  • All processing prioritizes local/on-device where technically feasible
  • Submitted text is analyzed and discarded after the retention period


    • 6. Data Retention (DPDP Act S.8)


    |------|-----------------|-------------|


    You may request immediate deletion at any time (see Section 7).



    7. Your Rights (DPDP Act 2023)


    As a Data Principal under the DPDP Act, you have the following rights:


    7.1 Right to Access (S.11)

    Export all data we hold about you.

  • **API:** `GET /api/privacy/export?user_id=YOUR_ID`
  • **Telegram:** `/privacy` command
  • **Response:** JSON file with all your data, consent records, and scan history

    • 7.2 Right to Correction (S.12)

    Request correction of any inaccurate data.

  • Contact: [email protected]

    • 7.3 Right to Erasure (S.13)

    Request complete, immediate, and irreversible deletion of all your data.

  • **API:** `DELETE /api/privacy/delete?user_id=YOUR_ID`
  • **Telegram:** `/delete` command
  • Deletion is immediate and covers: session data, scan history, consent records
  • Confirmation provided upon deletion

    • 7.4 Right to Withdraw Consent

    View and modify your consents at any time.

  • **API:** `GET /api/privacy/consent?user_id=YOUR_ID`
  • **API:** `POST /api/privacy/consent` with `{user_id, purpose, granted: false}`
  • **Telegram:** `/privacy` command

    • 7.5 Right to Grievance Redressal (S.14)

  • Contact: [email protected]
  • Response within 30 days
  • If unsatisfied, you may approach the Data Protection Board of India

    • 7.6 Right to Nominate (S.14(2))

    You may nominate another person to exercise your rights in case of death or incapacity. Contact us to register a nominee.



    8. Children's Data (DPDP Act S.9)


  • Chetana does not target or knowingly collect data from children under the age of 18
  • We do not have age verification mechanisms; parental supervision is advised
  • We do not process data in any manner that could be detrimental to a child
  • If you believe a child under 18 has submitted data, contact us for immediate deletion
  • We do not track, profile, or serve targeted content to any user


    • 9. Third-Party Services


    Chetana may interact with the following third-party services:


    |---------|---------|-------------|----------------|


  • No data is shared with any other third party
  • All third-party calls are made server-side; your device does not contact these services directly
  • If any third-party service is unavailable, Chetana degrades gracefully without data loss


    • 10. Data Storage and Security (IT Act S.43A)


  • All user data is stored locally on server infrastructure in India
  • No cloud storage, no third-party databases, no offshore replication
  • State files are protected by SHA-256 hash chain integrity verification
  • Access is restricted to the application process only
  • No remote access to stored data
  • Regular security reviews of data handling code
  • Encryption at rest is planned for future release

    • **Reasonable Security Practices (IT Rules 2011 Rule 8):**

  • Access control: application-level only
  • Data integrity: hash chain verification
  • Incident management: see Section 12


    • 11. Cross-Border Data Transfer


    Chetana does **NOT** transfer personal data outside India. All processing and storage occurs on infrastructure located in India. If this changes in the future, we will update this policy and obtain fresh consent as required under DPDP Act S.16.



    12. Data Breach Notification


    In the event of a personal data breach:


    |------|----------|--------|



    13. Significant Data Fiduciary


    Chetana is not currently designated as a Significant Data Fiduciary under DPDP Act S.10. If designated in the future, we will:

  • Appoint a Data Protection Officer (DPO) based in India
  • Conduct periodic Data Protection Impact Assessments (DPIA)
  • Submit to independent data audits
  • Update this policy accordingly


    • 14. Automated Decision-Making


    Chetana uses automated decision-making (risk scoring algorithms and AI models) to generate risk assessments. These assessments:

  • Are informational only and do not trigger any automatic action
  • Do not result in any legal or financial consequence to anyone
  • Can be reviewed by contacting us if you believe an assessment about your entity is incorrect
  • Are subject to the limitations described in our Terms of Service


    • 15. Disclaimer


    Chetana provides AI-assisted scam detection as a supplementary tool.


    **Chetana is NOT 100% accurate. False positives and false negatives will occur. Chetana is NOT liable for any financial loss, whether from undetected scams or incorrectly flagged legitimate communications.**


    Always verify independently before making financial decisions.


    See our [Terms of Service](terms_of_service.md) for full liability limitations.



    16. Changes to This Policy


    We may update this policy to reflect changes in law, regulation, or our practices. Material changes will be:

  • Communicated through the application
  • Effective 30 days after notification for material changes
  • Immediately effective for changes required by law

    • Continued use after changes constitutes acceptance. Your previous consent records are preserved.



    17. Contact


    For privacy-related queries, data requests, complaints, or grievances:

  • **Email:** [email protected]
  • **Grievance Officer:** Paul Desai
  • **Escalation:** Data Protection Board of India (if unsatisfied with our response after 30 days)


    • *This privacy policy complies with the Digital Personal Data Protection Act, 2023 (India), the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures) Rules, 2011.*



    ← Back to Chetana