Privacy Policy

1. What we collect

We collect the following information when you use SevaCart:

Identity & account

• Name, email address, mobile number
• Authentication identifiers from Google or Apple if you sign in via OAuth
• Encrypted password (only if you choose email + password sign-in)
• Profile image (if you upload one or it’s pulled from Google/Apple)

Spiritual profile (optional)

• Date of birth, gender, marital status, anniversary
• Gothra, nakshatra, rashi, birth place, kuladevata (family deity)
• Family member details (name, relationship, gothra, nakshatra) — only if you add them

Spiritual fields are strictly optional. They’re used solely to personalize your sevas and auto-generate the Sankalpa text. We never share these with third parties.

Transaction data

• Sevas booked, donations made, recipient temples / institutions
• Order amount, platform fee, payment method type (card / UPI / netbanking)
• Cashfree payment / order IDs for receipt generation
• 80G certificate records for tax-compliance audit

We do not store your full card number, CVV, UPI PIN, or bank login. Cashfree (PCI-DSS Level 1 certified) handles those directly.

Technical & usage data

• IP address, browser type, device type, operating system
• Pages visited, sevas viewed, search queries (used in aggregate to improve the app)
• Auth session cookies (functional, not for tracking)
• Analytics events (anonymized)

Visitor analytics & IP retention

We log technical session data including IP address, browser user-agent, and approximate location (country, region, city derived from IP via Vercel's edge network) for security and product improvement. IP addresses are stored at full precision for 30 days, then truncated to the network prefix (e.g. 203.0.113.x) for an additional 60 days, after which the entire analytics event is deleted (90-day total ceiling). You can request earlier deletion of your visitor logs by emailing grievance@sevacart.com.

2. How we use your data

• Deliver the service — process your seva or donation, send confirmation, generate receipts.
• Personalize — recommend sevas based on your nakshatra, suggest auspicious dates from your panchang, auto-fill Sankalpa.
• Communicate — transactional emails (receipts, status), security notifications. Marketing emails only with your explicit opt-in.
• Comply with law — generate 80G certificates, maintain financial records as required by Indian tax law.
• Improve the platform — analyze usage patterns in aggregate (no personal identifiers).
• Prevent fraud — detect and block suspicious account activity or payments.

3. Who we share with

We share data only with these specific categories of recipients, and only the minimum required:

• Cashfree Payments (Cashfree Payments India Private Limited, Bengaluru) — our payment processor. Receives your name, email, phone, and order details to process payments. Cashfree's privacy policy applies to the data they hold.
• Supabase (Supabase Inc., USA) — primary database and authentication. Stores your profile, transactions, orders, and login credentials securely. Data is held in Supabase's Singapore region for SevaCart.
• ZeptoMail (Zoho Corporation Pvt Ltd, Chennai, India) — transactional email provider. Receives your email address, name, and the contents of any transactional email we send (booking confirmation, password reset, 80G certificate, partner application updates). We use ZeptoMail's India-resident datacenter so your email metadata never leaves the country.
• Cloudflare Turnstile (Cloudflare, Inc., USA) — bot-protection challenge run on sign-up, sign-in, password reset, and OTP-request pages. Cloudflare receives your IP address, browser metadata (user-agent, screen size, timezone) and an interaction signal generated by the widget; it does not receive your name, email, phone, password, OTP, or spiritual profile. The widget runs in invisible mode — no visible challenge is shown for low-risk traffic. Cloudflare's processing of this data is governed by the Turnstile Privacy Addendum.
• Partner temples / institutions — when you offer a seva, the receiving institution sees your name, the seva details, and any devotee names + gothra + nakshatra you specified for the ritual. They do not see your password, payment method, or other personal data. Partner institutions are the data controllers for seva performance details (proof photos, priest notes); SevaCart facilitates the transfer only.
• Tax authorities — if required by law, we share donation records for 80G certification and tax audit.
• Law enforcement — only in response to a valid legal request, court order, or to prevent imminent harm.

We never sell your personal data, share it with ad networks, or expose your spiritual profile to third-party marketers.

4. Cookies and tracking

We use only essential cookies needed for the Service to work:

• sp_session — HttpOnly signed session cookie (HS256 JWT) that keeps you logged in (7-day expiry). Server-only; not readable by browser scripts.
• sp_lang — your selected interface language (en / hi / kn / sa). 1-year expiry.
• Supabase auth cookies — managed by the Supabase JavaScript SDK; used for refresh-token handling.

We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers.

5. How we protect your data

• Encryption in transit — all traffic uses TLS 1.2+ (HTTPS)
• Encryption at rest — passwords are hashed by Supabase Auth using bcrypt; sensitive fields are stored in encrypted Supabase columns
• Access controls — role-based access for our staff; admin actions are audit-logged
• 2FA capable — your account supports multi-factor authentication; we encourage you to enable it
• Service Role isolation — administrative database access is keyed and never exposed to the browser

No system is invulnerable. If we suspect a personal-data breach affecting your data, we will: (a) notify the Data Protection Board of India and you within 72 hours of discovery, as required by §8(6) of the DPDP Act 2023; and (b) report the cybersecurity incident to CERT-In within 6 hours of noticing it, as required by the CERT-In direction dated 28 April 2022 issued under §70B(6) of the IT Act 2000. Notifications to you will include: the nature of the data affected, the likely consequences, the steps we are taking, and what you should do next.

6. Data retention

• Account data — retained while your account is active. Deleted within 30 days of account-deletion request, except for records we must keep by law (e.g., financial records for 7 years).
• Transaction records — retained for 7 years for compliance with Indian tax and financial-reporting law.
• Auth session cookies — 7 days after your last session.
• Analytics aggregates — anonymized, retained indefinitely; cannot be linked back to you.

7. Your rights (DPDP Act 2023)

You have the following rights over your personal data:

• Right to access — view all personal data we hold on you. Request via email.
• Right to correction — fix inaccurate data directly from your profile page.
• Right to erasure — request full account deletion. We comply within 30 days, except where law requires retention.
• Right to data portability — request a machine-readable export of your data.
• Right to withdraw consent — for any processing based on consent (e.g., marketing emails).
• Right to grievance redressal — escalate to our Grievance Officer (see Section 10).

To exercise the right to access or the right to erasure directly, go to your data & account while signed in — you can download a JSON export or delete your account from there. For any other right (correction, portability, consent withdrawal, grievance), write to privacy@sevacart.com.

8. Children's privacy

SevaCart is not intended for users under 18. We don’t knowingly collect personal data from minors. If you believe we have collected such data, please contact us and we’ll delete it.

9. International data transfers

Your data is stored across the following providers; their location and what data they hold is listed transparently:

• ZeptoMail (transactional email) — India-resident datacenter (Chennai). Email content + recipient address never leaves India.
• Cashfree Payments (payment processor) — India-resident; payments routed through Indian banking infrastructure.
• Supabase (database + authentication) — Singapore region for SevaCart. Where data leaves India, we rely on Supabase's standard contractual clauses and the equivalent-protection regime under DPDP Act §16.
• Vercel (web hosting) — global edge network. Pages are served from the edge node nearest to you; no PII is stored on Vercel servers.

Wherever feasible, we choose Indian-resident providers. The two non-India dependencies above (Supabase, Vercel) are listed under the cross-border transfer disclosure required by DPDP Act §16.

10. Grievance Officer

In compliance with the IT Act 2000, the IT Rules 2021, and the Digital Personal Data Protection Act 2023, we have designated a Grievance Officer as the single point of contact for any privacy or data-handling complaint:

If you believe we have not addressed your concern, you may further escalate to the Data Protection Board of India under §27 of the DPDP Act 2023, or the Grievance Appellate Committee under the IT Rules 2021.

11. Changes to this policy

We update this policy when our practices change (e.g., adding a new payment provider, integrating a new feature that processes data). Material changes are emailed to all active users and announced on the platform 7 days before they take effect.

12. Contact us

For any privacy questions: