Privacy Policy

Varnit AI is the “Data Fiduciary” as defined in the DPDP Act. All questions about this policy or your data should go to our Grievance Officer (see section 10).

• Account data: name and email address you provide at signup, password hash (never the plain password), account creation timestamp.
• Usage data: prompts you send to AI features, conversation history, feedback ratings, resume content you enter into the Resume Maker, documents you upload to Document Intelligence, images you generate.
• Technical data: IP address (used only for rate limiting and account-lockout protection, retained 90 days), approximate device type, browser type, and service worker version.
• Payment data: if you upgrade to Pro, Razorpay (the payment processor) receives your payment details directly. We never see or store your card/UPI/bank details. We only receive a Razorpay order ID, payment ID, and signature for verification.
• Analytics: Vercel Analytics records anonymised, aggregated page-view information. No individual tracking, no cross-site fingerprinting.

• To create and secure your account (DPDP Act § 7(a) — performance of contract you signed up for).
• To deliver AI responses, generate resumes, analyse documents, and save your history (same basis; core service delivery).
• To prevent abuse and detect fraud (DPDP Act § 7(h) — legitimate business interest, strictly limited).
• To process Pro subscription payments (contract performance).
• To send you service emails such as password reset, account confirmation, or critical security notices (legal obligation and contract performance).

We do not sell your data. We do not use your data to train our own AI models. We do not show ads.

We rely on the following third-party processors. Each has its own privacy policy, and we share only the minimum data required:

• Vercel Inc. (USA): hosting and anonymised analytics.
• Razorpay Software Pvt. Ltd. (India): payment processing for Pro upgrades.
• AI model providers (Google, Groq, Hugging Face, OpenRouter, and similar): we send your prompt text to whichever provider serves your request. The prompt may include conversation context. We do not send your email or real name.
• Email service (SMTP provider): to deliver password reset messages.

We never sell your data to advertisers, data brokers, or third-party marketers.

• Account records: while your account is active.
• Conversations, resumes, generated images: until you delete them or delete your account.
• Rate-limit / login-attempt logs: 90 days.
• Payment records: 7 years (required by Indian tax law).
• Backups: encrypted backups may retain data up to 30 days after deletion; they are then overwritten.

You have the right to:

• Access your personal data and a summary of how it is processed.
• Correct or update your personal data from your account profile.
• Erase (delete) your account, which purges your profile, conversations, resumes, and all linked data. Start the flow at /account/delete.
• Withdraw consent at any time (equivalent to account deletion for our service).
• Nominate a legal representative to exercise your rights after your death or incapacity. Contact the Grievance Officer to register a nominee.
• Lodge a grievance with our Grievance Officer first. If unresolved within 30 days, you may escalate to the Data Protection Board of India.

We use industry-standard safeguards: HTTPS everywhere (HSTS preload), bcrypt password hashing, HTTP-only strict-SameSite cookies, strict Content-Security-Policy headers, parameterised SQL, and database-backed rate limiting. Despite this, no online service can be 100% secure. If we learn of a data breach that affects your data, we will notify you and the Data Protection Board of India in accordance with the DPDP Act.

Varnit AI is not directed at children under 18 (the DPDP Act defines a child as anyone under 18). If you are under 18 you must not create an account. If we learn that we have collected data from a person under 18 without verifiable parental consent, we will delete it promptly.

We may update this policy from time to time. The “Effective” date above reflects the latest change. If changes are material, we will notify you by email or an in-app banner at least 30 days before they take effect.