Privacy Policy
Last updated: April 2026 · Notice version: v1.0
1. Data We Collect
When you use Saarthika, we collect the following categories of personal data:
- Profile data: Business name, type, sector, state, district, pin code, area type, annual turnover, investment in plant and machinery, employee count, GSTIN, Udyam registration number, PAN (masked on display), and owner category (including SC/ST/OBC/Minority/PWD status where voluntarily provided).
- Account data: Email address, phone number, preferred language, and notification preferences.
- Usage data: Pages visited, features used, search queries, and interaction events captured via PostHog and Google Analytics (GA4).
- Cookies: Essential session cookies (required for authentication via Supabase), and optional analytics cookies (PostHog, GA4) subject to your consent.
- Device data: IP address and browser user agent, stored for consent audit purposes only.
- Payment data: Razorpay payment reference IDs and subscription status. Full card and bank account details are processed exclusively by Razorpay and are never stored on Saarthika servers.
2. How We Use Your Data
- Scheme matching: Your business profile is processed to calculate eligibility scores across published government schemes. This is the core service you signed up for and is performed under Section 4(2) of the DPDPA 2023 (data voluntarily provided for an obvious purpose). Separate consent is not required for this purpose (DPDPA Section 7(4)).
- AI-powered personalisation: With your consent, we use automated systems and AI (via Anthropic API) to generate personalised scheme recommendations and action plans.
- Communications: Transactional emails (receipts, account alerts) are sent as necessary to provide the service. Scheme update newsletters and WhatsApp notifications are sent only with your explicit consent.
- Service improvement: Aggregated, anonymised usage data helps us identify bugs, improve features, and understand which schemes are most relevant.
- Billing: Payment and subscription data is used to manage your account, issue GST invoices, and fulfil legal obligations under the GST Act and Income Tax Act.
3. Your Rights Under DPDPA 2023
Under the Digital Personal Data Protection Act 2023, you have the following rights:
- Right to access: Request a copy of all personal data we hold about you. Use the “Export my data” feature in Privacy & Data settings.
- Right to correction: Update your business profile and personal information at any time via Profile settings.
- Right to erasure: Request account deletion via Privacy & Data settings. Account deletion anonymises your personal data. Certain records (payment data, consent audit log) are retained for the statutory 7-year period under GST and income tax law.
- Right to withdraw consent: Withdraw any discretionary consent at any time via Privacy & Data settings. Withdrawal does not affect processing done before withdrawal.
- Right of nomination: You may nominate a person to exercise your rights on your behalf in the event of death or incapacity. Contact our Grievance Officer to register a nominee.
- Right to grievance redressal: Lodge a complaint with our Grievance Officer (details in Section 6 below). If unresolved, you may escalate to the Data Protection Board of India.
4. Data Retention
- Active accounts: Data is retained for as long as your account is active.
- Deleted accounts: On account deletion, your email address, name, and phone number are anonymised immediately. Payment records, consent audit logs, and subscription history are retained for 7 years from the date of deletion to satisfy GST and income tax statutory retention requirements.
- Consent records: Consent records are append-only and retained permanently as required by DPDPA 2023 Section 7 (burden of proof). After account deletion, consent records are anonymised (your user ID is removed) but the record itself is preserved as a compliance artefact.
5. Third-Party Data Processors
We engage the following data processors to operate the service. Each processor is bound by a data processing agreement and is permitted to process your data only as directed by us.
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | India (ap-south-1) |
| Resend | Transactional and marketing email delivery | USA |
| Razorpay | Payment processing and subscription management | India |
| PostHog | Product analytics and feature flags (consent-gated) | EU / USA |
| Google Analytics (GA4) | Website usage analytics (consent-gated) | USA |
| Anthropic | AI-powered scheme analysis (consent-gated) | USA |
6. Grievance Officer
For any privacy-related questions, complaints, or requests to exercise your DPDPA rights, please contact our designated Grievance Officer:
Grievance Officer
Saarthika
Email: privacy@saarthika.in
We will acknowledge your request within 72 hours and resolve it within 30 days.
7. Changes to This Policy
We may update this policy to reflect changes in our data practices or applicable law. Material changes that require re-consent will be communicated by email and via an in-app notice. The “Last updated” date at the top of this page indicates when the policy was last revised.
This policy corresponds to consent notice version v1.0. If you consented under a previous version, we will contact you when re-consent is required.