Privacy Policy

GhatGaya Labs Pvt. Ltd. (“we”, “us”, “our”) is the “Data Fiduciary” under India's Digital Personal Data Protection Act, 2023 (“DPDP Act”) and functionally equivalent to a “Data Controller” under the EU GDPR for visitors from the European Economic Area.

Our Grievance Officer (appointed under Rule 5 of the IT Rules, 2021) can be reached at grievance@ghatgaya.com.

This policy applies to personal data collected through the ghatgaya.com website, all first-party subdomains (admin, api, press), our mobile experiences, and any customer support channel (email, phone, social). It does not apply to third-party sites we link to — their own privacy policies govern.

We collect information in four broad buckets:

1. Account & profile data — email address, display name, hashed password, optional avatar URL, optional bio. Provided directly by you at signup or on your profile page.

2. Reports & engagement data — the contents of every report you submit (brand name, product name, category, issue type, description, dates, city, source links, evidence links), plus upvotes, downvotes, comments, and comment likes attributed to your account.

3. Contact & support data — messages you send via our contact form or to our email addresses, including the subject line, body, and any attachments.

4. Technical & device data — IP address, browser user agent, device OS, viewport size, referring URL, timestamps of requests, and similar server logs. Collected automatically when you interact with the Service.

• Directly from you — signup forms, profile edits, report submissions, comments, contact messages.
• Automatically from your device — when you load any page of the Service, your browser transmits technical metadata (IP, user agent).
• From third parties — if you choose to sign in via Google or another OAuth provider (when we enable this), we receive your email, name, and public avatar URL from that provider in accordance with the permissions you grant.

Under the DPDP Act and GDPR (where applicable), we process your personal data on the following bases:

• Consent — for creating an account, submitting reports, and posting comments. You provide consent by registering and by accepting our Terms & Conditions.
• Legitimate interest — for security, fraud prevention, rate-limiting, and moderation of the public record. This interest is balanced against your rights and freedoms.
• Legal obligation — where we must retain or disclose data to comply with Indian law (including court orders, tax records, and IT Act compliance).
• Public interest — operating a searchable record of consumer complaints is itself a matter of public interest and journalism.

• To create and manage your account.
• To publish your reports and comments to the public record once they clear moderation.
• To detect Patterns — when 5 or more independent reports match the same brand and issue type.
• To rate-limit abusive behaviour and prevent spam / sybil accounts.
• To respond to your contact messages, support tickets, and grievances.
• To produce aggregated, anonymised analytics that we may share with researchers, journalists, regulators, and paying brand customers. These aggregates never identify individual users.
• To debug, maintain, and improve the Service, measure performance, and investigate incidents.
• To send you transactional emails (e.g. “your report was approved”).
• To comply with legal obligations and lawful requests from public authorities.

• Sell or rent your personal data to advertisers, data brokers, or any third party.
• Remove a published report in exchange for money, advertising spend, or any form of quiet settlement. Corrections are visible; takedowns outside a lawful order are not possible.
• Disclose to a brand the identity of the user who submitted a report about that brand, unless we are legally compelled to do so.
• Use your data to train third-party AI models without explicit consent.
• Display advertising, use advertising SDKs, or embed cross-site tracking pixels.

We use a minimum set of cookies. No third-party analytics trackers, no advertising identifiers.

gg_refresh — an HttpOnly, Secure cookie holding a rotating refresh token so we can keep you signed in without repeatedly re-authenticating. Expires 7 days after issue and is rotated on every refresh.

gg_admin_refresh — same purpose, for admin console users only.

We also use localStorage to remember your access token and UI preferences (theme, draft reports you haven't yet submitted). This is first-party only and stored only in your browser.

We share personal data with:

• Infrastructure providers — our hosting, database, email, and object-storage vendors, bound by data-processing agreements. Current providers: AWS Mumbai (hosting), Postgres self-hosted on AWS (database), Resend (transactional email), Cloudflare R2 (future evidence storage).
• Moderation team — internal staff under non-disclosure agreements.
• Public viewers — the contents of approved reports, comments, and the display name of the user who posted them. Your email is never public.
• Legal and regulatory authorities — when compelled by a valid legal order, or when necessary to investigate security incidents.
• Successors in a business transaction — in the event of a merger, acquisition, or asset sale, personal data may transfer to the successor, subject to this policy.

Primary data storage is within India (AWS Mumbai region). When a vendor processes data outside India, we ensure either (a) standard contractual clauses, (b) that the vendor is located in a country with an adequacy decision, or (c) that data is transmitted only in aggregated, anonymised form.

Different categories of data have different retention periods:

• Approved reports & comments — retained indefinitely. This is a deliberate feature of a public record. Reports you delete become [deleted] but replies survive.
• Account data — retained while your account is active; purged within 30 days of account deletion (reports remain, re-attributed to [deleted]).
• Server logs (IP, user agent) — 90 days.
• Rejected submissions — 12 months, then purged.
• Contact messages — 36 months, then archived in anonymised form.
• Financial records — 8 years, as required by the Companies Act & Income Tax Act.

• Transport encryption via TLS 1.3 for all data in transit.
• Passwords hashed with bcrypt (cost factor 10).
• Short-lived JWT access tokens (15 minutes) plus HttpOnly-cookie refresh tokens.
• Role-based access control for internal staff; admin actions are audit-logged.
• Database encryption at rest; nightly backups retained for 30 days.
• Rate-limiting and CSRF protections on all sensitive endpoints.
• No technology is perfect. If you suspect a vulnerability, please write to security@ghatgaya.com — we'll acknowledge within 72 hours.

Public: everything you intentionally post — report contents, comments, display name, avatar, bio.

Private: your email address, password hash, IP address, device fingerprint, moderation notes, contact-form messages, support correspondence.

Under the DPDP Act (India) and GDPR (where applicable), you have the following rights:

• Right to access & download — receive a machine-readable copy of your account data within 30 days of request.
• Right to correction — correct inaccurate personal data at any time via your profile page or by email.
• Right to erasure / account deletion — request deletion of your account. Published reports remain but are anonymised.
• Right to withdraw consent — you may withdraw any consent previously given, with effect going forward.
• Right to nominate — under the DPDP Act, you may nominate another individual to exercise these rights in case of your death or incapacity.
• Right to grievance redressal — you may file a grievance with our Grievance Officer (see below) or directly with the Data Protection Board of India.

To exercise any right, email privacy@ghatgaya.com from the email address on your account. We may ask for additional verification.

If a report identifies your business and you believe it is inaccurate or misleading, you may:

• Submit a written response via corrections@ghatgaya.com. Verified responses are published alongside the report.
• Provide documentation that the report is factually incorrect. Verified, we mark the report corrected — but we do not delete it. Silent deletion defeats the purpose of a record.

GhatGaya is not directed at children under 18 years of age. Under the DPDP Act, data of children may be processed only with verifiable parental consent, and we do not knowingly collect such data. If you believe a minor has registered, please contact us and we will delete the account.

Pattern Detection is a purely mechanical trigger (count ≥ 5 on the same brand + rip-off type) and involves no editorial discretion. It does not produce legal effects about you and is not profiling in the sense of Article 22 GDPR. Human moderators review every submission before publication.

We may update this policy from time to time. If we make material changes that affect your rights, we will (a) notify registered users by email at least 30 days before the new version takes effect, and (b) post a prominent notice on the homepage. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have a grievance regarding the processing of your personal data that we have not resolved to your satisfaction, you may contact our Grievance Officer:

Grievance Officer
GhatGaya Labs Pvt. Ltd.
91Springboard, Koramangala 4th Block
Bengaluru, Karnataka 560095
Email: grievance@ghatgaya.com

We will acknowledge your grievance within 48 hours and resolve it within 30 days, in accordance with the IT Rules, 2021.

You also have the right to escalate unresolved concerns to the Data Protection Board of India once constituted under the DPDP Act.

Privacy questions: privacy@ghatgaya.com. Security reports: security@ghatgaya.com. Written notices may be sent to 91Springboard, Koramangala 4th Block, Bengaluru 560095, India.