Privacy Policy

1. Who we are

Utsav Panditji(the “App”) is the official affiliate companion application for the Utsav App platform operated at utsavapp.in. The App is published on Google Play under the package name in.utsavapp.panditji by Nirvann Applications Private Limited (“we”, “us”, “our”).

We act as a Data Fiduciary under India's Digital Personal Data Protection Act, 2023 (DPDPA) for the personal data of affiliates registered on the App.

2. Personal data we collect

We collect the following categories of personal data when you register and use the App:

• Identity & contact: name, phone number, city, state, optional temple name.
• Authentication: One-Time Passwords (OTP) sent to your phone for login. We never collect or store passwords.
• KYC information: Permanent Account Number (PAN) and (when applicable) a photo of your PAN card — required by Indian tax law for any payout you receive.
• Payment details: bank account number, IFSC code, and/or UPI ID used for commission payouts. Stored encrypted at rest.
• Affiliate activity: the affiliate links you generate, clicks on those links, conversions (devotee participations attributed to you), tier, and commission history.
• Device tokens: push-notification tokens used to alert you about KYC status, commissions, and payouts.
• App diagnostics: non-personal usage and crash data when you opt in to share diagnostics with Google Play.

We do not collect: precise location, contacts, calendar, photos/files outside the KYC flow, microphone, or browsing history.

3. Why we collect it

• Account management: create and operate your affiliate account.
• Service delivery: generate share links, attribute clicks/conversions, compute commission earnings.
• Payouts & tax compliance: verify your identity (PAN), pay commissions to your bank/UPI, issue Form 26AS / TDS certificates where required.
• Fraud prevention: detect self-referrals, duplicate accounts, and abuse of the commission program.
• Communications: send transactional alerts about KYC, commissions, payouts, and account changes.
• Legal compliance: meet obligations under Indian tax law, RBI guidelines, and the DPDPA.

4. Who we share data with

We share personal data only with the following categories of recipients, and only the minimum data needed for each purpose:

• Banking partners (IDFC FIRST Bank and similar) — to disburse payouts to your bank account.
• Cloud infrastructure (Amazon Web Services, Google Cloud Platform) — to host the App backend and databases. Data is stored in India where possible.
• Communication providers (SMS gateways, Google Firebase Cloud Messaging) — to send OTPs and push notifications.
• Tax authorities (Income Tax Department, GST) — only when legally required to do so.

We do not sell your personal data. We do not share data with advertisers or analytics networks for behavioural targeting.

5. How we protect your data

• All network traffic between the App and our servers is encrypted with TLS 1.2 or higher.
• PAN, bank account, and UPI identifiers are additionally encrypted at rest using authenticated encryption with per-record initialization vectors.
• Access to encrypted PII is restricted to a small number of authorised personnel and is audit-logged at the row level.
• Authentication uses short-lived JWT access tokens delivered via secure HTTP-only cookies and refresh-token rotation with reuse-detection.

6. How long we keep your data

We retain personal data only for as long as needed for the purpose it was collected.

• Active affiliate accounts: for the duration of the account.
• After deletion request: profile, KYC, and bank details are removed within 30 days.
• Financial records (commissions, payouts, invoices, TDS): retained for 7 years from the date of the last transaction, as required by the Income Tax Act, GST law, and RBI guidelines. This retention applies even after you delete your account and cannot be waived.
• Audit logs of PII access: 3 years.

7. Your rights

Under the DPDPA you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or outdated data.
• Delete your account and associated data — see our Delete Account page for the process.
• Withdraw consent at any time. Note that withdrawing consent prevents you from receiving future commissions and payouts.
• Lodge a complaint with the Data Protection Board of India if you believe your rights have been violated.

To exercise any of these rights, email tech@utsavapp.in from your registered email or phone. We respond within 30 days.

8. Children

The App is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If we learn that we have inadvertently collected such data, we delete it promptly.

9. Where your data is stored

Your data is primarily stored on servers located in India. Where backups or operational replicas reside outside India (e.g. for disaster recovery on global cloud providers), we ensure equivalent contractual and technical safeguards apply.

10. Changes to this policy

We may update this policy as the App and applicable laws evolve. Material changes will be communicated in-app and via the email or phone you registered with. The “In effect from” date at the top of this page reflects the most recent revision.

11. Contact us

Data Protection Officer
Nirvann Applications Private Limited
Email: tech@utsavapp.in