Your secrets stay yours.

This Privacy Policy applies to the ApnaBharosa mobile application (“the App”) and the related backend services hosted at api.apnabharosa.com and storage.apnabharosa.com (together, “the Service”), operated by the ApnaBharosa team (“we”, “us”).

By creating an account in the App you accept this Policy. If you don't agree with any part of it, please do not use the Service.

ApnaBharosa is designed so that a database leak on our end would expose no usable secrets. Here's what that means in concrete terms:

• Your PIN never leaves your phone.
• An encryption key is derived from your PIN on-device using PBKDF2 with a high iteration count and a per-account salt.
• Vault data (asset details, document attachments, recovery hints) is encrypted with AES-256-GCM before being uploaded.
• Nominee access uses a separate split-key scheme so a nominee can only decrypt what you explicitly assigned to them, and only after the inheritance trigger has fired.
• Biometric unlock keys are stored only in your device's secure enclave / hardware-backed keystore.

We deliberately collect as little as possible. The minimum that the Service needs to work falls into these categories:

What we explicitly do not collect

• Your PIN, your fingerprint template, or any biometric data.
• Your recovery phrase — it never leaves your device.
• Location, microphone, advertising / marketing trackers.
• The camera is used only locally for document scans you initiate — captured images go through the same client-side encryption flow before upload; we do not stream the camera.
• We do not read or upload your entire contacts list. When you tap “Pick from contacts” to fill a nominee's number, the device shows the system contact picker; only the single contact you select is then stored as part of that nominee's encrypted record.
• Advertising IDs or marketing trackers.

• To run the Service — authenticate you, sync your encrypted vault between devices, deliver the inheritance trigger to your nominees.
• To detect inactivity — track when you last checked in so the escalation ladder fires only when it should.
• To send transactional messages — OTPs over SMS, verification codes over email, push reminders.
• To diagnose outages — keep aggregated, non-personal request logs.
• To comply with the law — respond to lawful requests when we receive a valid order. We cannot hand over content we cannot read.

We do not use your data to profile you, train models, sell to brokers, or run ads.

We do not sell your data. The narrow cases where information moves to a third party:

• SMS provider — your phone number is shared with our SMS gateway only to deliver one-time OTPs. Message Central
• Email provider — your email is shared with our SMTP relay only to deliver verification codes and inheritance alerts. Titan Email
• Push provider — anonymous push tokens transit through the OS push services. FCMExpo Push
• When you trigger the release — once the inheritance trigger has fired, your nominee receives only the encrypted assets you assigned to them, plus instructions to use their secret answer to unlock the keys.
• Legal compulsion — if we receive a valid legal order, we can hand over whatever metadata we hold. As designed, this excludes the contents of your vault.

• Encryption at rest — AES-256-GCM on every sensitive field, with keys derived client-side via PBKDF2.
• Encryption in transit — TLS 1.2+ everywhere; HSTS enabled; certificates auto-renewed.
• Hashing — PINs and secret answers are never stored. We store key derivations and verification hashes only.
• Network isolation — internal services (database, cache, workflow engine, object storage) bind to loopback or private networks only; nothing besides the API and storage gateway is reachable from the public internet.
• Hardware-backed keys — biometric-protected keys live in your device's secure enclave / Android Keystore. We never see them.
• Account hardening — operator access to production is short-lived and audited.

No system is perfect. We take security seriously; if you believe you have found a vulnerability please email admin@apnabharosa.com with details.

• Active account — we keep your data for as long as your account exists, so we can fulfill the inheritance trigger if it ever fires.
• Inactive heartbeat — if the trigger fires and the release runs, encrypted assets remain accessible to your nominees for 90 days, after which they are purged.
• Account deletion — you can delete your account from inside the App (“Reset App” under settings). On deletion, identity records, vault rows, nominee rows, and encrypted attachments are removed within 30 days. Operational backups roll off within 35 days.
• Logs — request logs are retained for up to 14 days, then deleted.

Wherever you live, you have these baseline rights with respect to your account:

• Access — see what's in your account from inside the App. Most data is already only visible to you.
• Correction — edit your profile, nominees, and vault entries directly in-app.
• Deletion — delete your account in-app; see Section 07 above for timelines.
• Portability — request a copy of the data we hold by emailing admin@apnabharosa.com.
• Withdraw consent — by deleting your account at any time.

If you are in a jurisdiction with extended rights (EU/UK GDPR, California CCPA, India DPDP Act), those rights apply in addition to the above; email us to exercise them and we will respond within statutory deadlines.

ApnaBharosa is intended for adults (18+) making inheritance arrangements. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it.

• Google Cloud Platform — hosts our servers in asia-south1 · Mumbai
• Message Central — SMS / WhatsApp delivery for OTPs and escalation alerts.
• Titan Email — outbound transactional email.
• Firebase Cloud Messaging (Google) and Expo Push Service — Android push notifications.
• Let's Encrypt — issues the TLS certificates that secure your connection.

Each of these vendors has its own privacy policy that governs the data it processes on our behalf. We only share with them the minimum needed to deliver the message you're expecting.

Our primary servers run in Mumbai, India. Some processors (push providers, email delivery) operate globally; when data leaves India it does so over TLS-encrypted channels and remains subject to this Policy.

We will update this page if the Service changes in a way that affects what we collect or how we use it. When changes are material, we'll let you know in-app or by email before they take effect. The “Last updated” stamp at the top always reflects the current version.

Privacy questions, deletion requests, vulnerability reports — all go to admin@apnabharosa.com. We respond to genuine inquiries within 7 working days, typically much sooner.