When you create an account or use Dharaa, we collect:

• Account Information: Phone number (used for OTP login via Firebase Authentication), and optionally name, email address, and business details you choose to add to your profile.
• Counterparty Details: Name, email address, phone number, and signing role of any other party you add to an agreement so they can receive and sign it.
• Communication Data: Support tickets, in-app feedback, and emails you send us.
• Payment Information: When you pay for an eSign or premium feature, the payment is processed by Razorpay (and, where applicable, Apple In-App Purchase, Stripe, or RevenueCat). Card numbers, UPI IDs, and bank credentials are entered directly with the payment processor — Dharaa receives only a transaction reference, masked instrument metadata (e.g., last four digits, network), amount, and status.
• Aadhaar (only if you choose Aadhaar eSign): Your Aadhaar number and Aadhaar OTP are entered on the licensed eSign Service Provider's gateway (e.g., NSDL e-Gov / Protean, CDAC, or another CCA-empanelled ASP/ESP). Dharaa does not see, log, or store your Aadhaar number or biometrics; we receive only the resulting signed PDF and signature certificate.

When you use the app or website we collect a limited set of technical data needed to operate the service:

• Device & App Diagnostics: Device model, OS version, app version (via package_info_plus), language, timezone, network connectivity status (connectivity_plus), crash and error logs.
• Usage Data: Features used, screens visited, agreements created/signed (counts and timestamps, not content) — used to keep the service reliable and to debug issues.
• Approximate Location (server-side): Coarse country/region inferred from your IP address for routing, fraud prevention, and to confirm you are accessing an India-only service.
• Push Notification Token: A Firebase Cloud Messaging (FCM) device token via awesome_notifications_fcm so we can deliver counterparty-signed and document-status alerts.

We do not use any third-party advertising SDKs, ad identifiers (IDFA/IDFV), or cross-app/cross-site tracking. Per Apple's App Tracking Transparency framework, Dharaa does not "track" you as defined by Apple, and we do not present an ATT prompt because we have nothing to ask.

The Dharaa app requests the following device permissions. Each is optional for ordinary use of the app, requested only at the point of use, and explained in the iOS prompt:

• Camera (NSCameraUsageDescription) — used only if you enable Face Liveness Check on a signing ceremony, to capture a short live-capture confirming a real person is signing. Frames are sent to our liveness verifier, the pass/fail result and a single reference still are stored as evidence in the document's audit trail, and intermediate frames are discarded. Disabled by default.
• Location — When In Use (NSLocationWhenInUseUsageDescription) — used only if you enable Location Proof at Signing, to capture GPS coordinates at the moment you sign. The coordinates and a reverse-geocoded city/state (via geolocator / geocoding) are embedded in the Certificate of Execution as evidentiary metadata. We do not track your location in the background.
• Photo Library (NSPhotoLibraryUsageDescription) — used only when you tap to attach an image (e.g., a property photo or supporting document) or save an executed contract to your library.
• Notifications — to deliver "counterparty signed", "document executed", and similar transactional alerts. You can disable notifications at any time in iOS Settings.

You can revoke any of these permissions at any time in iOS Settings → Dharaa.

When you draft, edit, or sign an agreement we process:

• Agreement Content: The natural-language prompt you give the AI, the resulting draft, every clause edit you make, and the final document.
• Signer Information: Names, email addresses, phone numbers, and signing status of all parties.
• Document Metadata: Creation, edit, and signing timestamps; document state (draft/signing/executed); state-wise stamp duty selection.
• Signing Audit Trail: OTP verification logs, signature certificate(s), face-liveness pass/fail (if enabled), GPS + reverse-geocoded location (if enabled), IP address, device fingerprint, and a tamper-evidence hash. This audit trail is what makes the executed contract legally defensible under the IT Act, 2000 and the Indian Evidence Act, 1872.

A copy of every executed contract is also emailed to each signer at the time of execution.

We use your information to:

• Run the Dharaa app and website and deliver the service you signed up for.
• Generate, store, and let you edit your agreements.
• Initiate and complete digital signatures via Aadhaar eSign or Digital Sign.
• Authenticate logins and maintain account security.
• Process payments via Razorpay / Apple In-App Purchase / Stripe / RevenueCat as applicable.
• Send transactional emails and push notifications (counterparty signed, document executed, payment receipt, etc.).

We will contact you about:

• Security alerts, account changes, and policy updates.
• Counterparty actions on your agreements.
• Payment receipts and refund status.

These are essential service communications and cannot be turned off while your account is active. Marketing emails are opt-in only; if we ever send them, every message will include an unsubscribe link.

We use crash logs, error reports, and aggregated usage counts to find and fix bugs and to improve the AI drafting engine. We do not use the content of your legal agreements to train generalised AI models, and we do not sell or share that content with any party for advertising.

We process your information to comply with applicable Indian law, to enforce our Terms of Service, to detect and prevent fraud or abuse, and to respond to lawful requests from courts or authorised regulators.

Dharaa implements industry-leading security measures including:

• Encryption: AES-256 encryption for data at rest and TLS 1.3+ for data in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication, and principle of least privilege
• Network Security: Firewalls, intrusion detection systems, DDoS protection, and regular penetration testing
• Infrastructure Security: Secure cloud hosting with certified providers, regular security audits, and vulnerability assessments
• Data Segregation: Logical separation of customer data with strict isolation between tenants
• Monitoring: 24/7 security monitoring, automated threat detection, and incident response protocols

We employ strict policies ensuring:

• Background checks for all employees with data access
• Mandatory security training and confidentiality agreements
• Access logging and regular audits of data access patterns
• Immediate revocation of access upon employee departure

If we suffer a data breach affecting your personal information we will:

• Report qualifying incidents to CERT-In within 6 hours as required by the CERT-In directions of 28 April 2022.
• Notify the Data Protection Board of India and affected users without undue delay, as required by §8(6) of the DPDP Act, 2023.
• Tell affected users what happened, what we are doing about it, and what they can do to protect themselves.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We will never monetise your data without your explicit consent.

We rely on the following named providers to operate Dharaa. Each receives only the data it needs to perform its function and is bound by a data processing agreement.

| Provider | Purpose | Data shared | | --- | --- | --- | | Microsoft Azure | Backend hosting, serverless compute, blob storage | All server-side data | | Google Firebase (Authentication, Cloud Messaging, Remote Config) | OTP login, push notification delivery, feature flags | Phone number, FCM token, device locale | | Razorpay | Payments in India | Order amount, masked instrument metadata, transaction reference | | Apple In-App Purchase | Subscriptions / IAP on iOS (where applicable) | Apple receipt only — Apple does not share PII with us beyond a hashed user identifier | | Stripe / RevenueCat | Payments outside India and subscription receipt validation (where applicable) | Order amount, masked instrument metadata, transaction reference | | Zoho Sign | Workflow orchestration for non-Aadhaar Digital Sign | Document, signer name, signer email | | NSDL e-Gov / Protean / CDAC (or other CCA-empanelled ASP/ESP) | Aadhaar eSign at the moment of signing | Document hash, signer name, signer Aadhaar OTP and Aadhaar number entered on the provider's gateway | | OpenAI / Anthropic / Azure OpenAI (or equivalent LLM provider) | AI-assisted clause drafting and editing | The prompt and context you submit; the provider does not retain content for model training under our enterprise terms | | Email delivery service (transactional) | Sending executed contracts and signing invitations | Recipient email, document attachment |

We will update this list when we add or remove a provider.

When you use Aadhaar eSign:

• Your Aadhaar number and Aadhaar OTP are entered directly on the licensed Aadhaar eSign provider's secure gateway and are governed by their privacy policy and the regulations of the Controller of Certifying Authorities (CCA) and UIDAI.
• Dharaa does not see, log, or store your Aadhaar number, biometrics, or OTP.
• We receive only the resulting signed PDF, the digital signature certificate, and a signing reference — these are stored as part of the document's audit trail because they are required for the document to be legally enforceable under the IT Act, 2000.

We may disclose your information when:

• Required by law, court order, subpoena, or legal process
• Necessary to protect our rights, property, or safety, or that of our users or the public
• Involved in a merger, acquisition, bankruptcy, or sale of assets (with notice to affected users)
• Requested by law enforcement or regulatory authorities with proper legal authorisation

We may share aggregated, anonymised, or de-identified data that cannot reasonably be used to identify you:

• Industry benchmarks and trends
• Product usage statistics
• Research and development insights

We retain your data for as long as necessary to provide our services and fulfil the purposes outlined in this policy:

• Account Data: Retained while your account is active and for up to 90 days after account closure
• Billing Records: Retained for 7 years to comply with tax and accounting regulations
• Agreement Documents: Retained according to your subscription plan settings, with options for export and deletion
• eSign Audit Trails: Retained as required for legal validity of signed documents under the IT Act 2000
• Communication Logs: Retained for up to 2 years for customer support and quality assurance
• Analytics Data: Aggregated and anonymised data may be retained indefinitely

You can request deletion of your data at any time. Upon request, we will:

• Delete your account and associated personal information within 30 days
• Remove data from active systems and backups within 90 days
• Provide confirmation of deletion upon completion
• Retain only data required for legal compliance (e.g., financial records for tax purposes, eSign audit trails as required by law)

As a Data Principal you have the right to:

• Access — a summary of the personal data we process and the processing activities.
• Correction & Erasure — correct inaccurate data and request deletion of data that is no longer required.
• Portability — export your agreements and metadata in standard formats (PDF for documents, JSON for metadata).
• Withdraw Consent — withdraw consent at any time; this does not affect lawful processing carried out before withdrawal.
• Nominate — nominate another individual to exercise your rights in case of death or incapacity.
• Grievance Redressal — raise a grievance with our Grievance Officer (Section 12) and, if unresolved, with the Data Protection Board of India.

You can delete your Dharaa account and personal data directly from inside the app:

Settings → Profile → Delete account

When you delete your account:

• Drafts, in-progress agreements, profile data, and your FCM token are removed from active systems within 30 days and from backups within 90 days.
• Executed contracts and their audit trails are retained as required by Indian evidentiary law (a copy is also emailed to you at execution time, and you may export them before deletion).
• Payment records are retained for 7 years to satisfy Indian tax and accounting law.

You may also email support@dharaa.ai from your registered address to request deletion.

We send marketing messages only if you have opted in. Every marketing email contains an unsubscribe link, and you can also manage preferences in Settings → Notifications inside the app. Essential service communications (security alerts, signing notifications, payment receipts) cannot be opted out of while your account is active.

Dharaa is an India-only service. Personal data, account data, agreement content, and audit trails are stored and processed in India, on Microsoft Azure regions located in India.

A small number of operational sub-processors (for example, Apple's App Store and Apple In-App Purchase, Google Firebase Authentication and Cloud Messaging, and the LLM provider used for AI clause drafting) may process limited technical data outside India under their own privacy commitments. We do not transfer the content of your executed agreements, your Aadhaar number, or your audit-trail evidence outside India. The Government of India has not, as of the effective date above, notified a list of restricted countries under §16(1) of the DPDP Act, 2023; if such a list is notified we will update our sub-processor arrangements to comply.

When data is processed by a sub-processor we require contractual safeguards (data processing agreements), encryption in transit and at rest, and least-privilege access controls.

The Dharaa mobile app does not use third-party advertising SDKs and does not access the iOS Advertising Identifier (IDFA). It does not present an App Tracking Transparency (ATT) prompt because it does not track you across apps or websites owned by other companies. The app stores limited data on your device using shared_preferences and a local database (realm) for offline access to your drafts and account state — this data never leaves your device unless you sync it.

The dharaa.ai website uses only strictly necessary cookies (session, CSRF, login) and a small number of first-party preference cookies (theme, language). We do not use advertising cookies, do not embed third-party advertising pixels, and do not share data with advertising networks.

You can clear cookies via your browser settings, and you can clear local app data by uninstalling the app or by tapping Settings → Profile → Delete account inside the app.

Dharaa's AI engine processes your input (natural language descriptions, clause preferences, and agreement parameters) to generate legal agreements. This processing is necessary for service delivery and is performed with appropriate safeguards:

• Transparency: Clear identification of AI-generated content
• Human Control: Full ability to review, edit, and modify any AI-generated clause before finalising
• Data Minimisation: Processing only data necessary for the specific agreement
• No Persistent Storage of Prompts: Your drafting conversations are not retained beyond what is needed to generate and store the final agreement

Dharaa does not use automated decision-making that produces legal effects or similarly significant effects on individuals without human oversight. All agreements require explicit human review and signing.

We do not use your personal data, agreement content, or document data to train generalised AI models that are sold, shared for advertising, or used to build profiles across customers.

Any internal improvement of our AI systems relies on synthetic data, separately-licensed datasets, and high-level aggregated metrics that cannot reasonably be used to identify an individual person or a specific agreement.

• Name: Mohit Garg
• Email: support@dharaa.ai
• Response time: within 30 days of receiving a verifiable request.

• Account support: support@dharaa.ai

Dharaa
Attn: Grievance Officer
New Delhi, India

We may update this Privacy Policy periodically to reflect:

• Changes in our data practices or services
• New legal or regulatory requirements
• Improved privacy protections or security measures
• User feedback and industry best practices

When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you via email at least 30 days before changes take effect
• We will display a prominent notice on our platform
• We will maintain an archive of previous policy versions

Your continued use of Dharaa services after policy updates constitutes acceptance of the revised terms. If you do not agree with the changes, you may close your account and discontinue use of our services.