InsuranceGuru — Privacy Policy

Effective Date: 4 May 2026

Last Revised: 4 May 2026

Version: 1.0

> ⚠️ LAWYER REVIEW REQUIRED BEFORE LAUNCH. This policy is designed for compliance with India's Digital Personal Data Protection Act (DPDPA) 2023, the IT Act 2000, and IRDAI guidelines. Have it reviewed by a qualified Indian data protection lawyer before going live with real users.

---

Our Commitment

InsuranceGuru ("we," "us," "our") is committed to protecting your personal data. We collect only what we need, use it only as described here, and give you control over it. Insurance involves sensitive personal and financial information — we take that responsibility seriously.

This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and what your rights are.

---

1. Who We Are

Data Fiduciary (under DPDPA 2023):

InsuranceGuru

[Company Legal Name]

[Registered Address, India]

Contact: privacy@insuranceguru.in

Grievance Officer: [Name] — grievance@insuranceguru.in (responds within 30 days)

---

2. Data We Collect

2.1 Account Information

When you create an account:

• Email address

• Phone number (if you use SMS OTP sign-in)

• Name (provided during onboarding)

2.2 Profile Information (provided by you)

• Age and date of birth

• Family composition (members, ages, health conditions — if provided)

• Location (state/city — for regional plan availability)

• Occupation and income range (for coverage calculations)

• Existing insurance policies (if entered or uploaded)

2.3 Uploaded Documents

Documents you upload for AI analysis:

• Insurance policy PDFs, scans, or photos

• Identity documents (PAN, Aadhaar — only for user-initiated queries, never stored in raw form beyond the session)

• Claim-related documents

Important: Uploaded documents are processed by our AI model (Anthropic Claude, or other selected providers) and are not retained beyond what is necessary to generate your response. Full OCR text may be stored in your conversation history if you choose to save the chat.

2.4 Usage Data (collected automatically)

• Pages visited and features used within the app

• Conversation history (stored per your account, deletable by you)

• Upload activity (timestamps, document type — not document content)

• Device type, browser, IP address (for security and rate-limiting)

• Session tokens

2.5 Payment Data

When you purchase a subscription:

• Payment is processed by Razorpay (a PCI-DSS compliant payment gateway)

• We store only: plan type, amount, Razorpay order/payment IDs, timestamp

• We never see or store your card number, CVV, or UPI PIN

• Your financial details are governed by Razorpay's Privacy Policy

2.6 Support Data

If you contact support:

• Your name, email/phone

• Description of your issue

• Any documents you share in the support ticket

---

3. Legal Basis for Processing (DPDPA 2023)

We process your personal data on the following lawful bases:

| Processing Activity | Lawful Basis |

|---------------------|--------------|

| Account creation and authentication | Consent (you provide data to register) |

| Providing AI insurance advice | Consent + Contractual necessity |

| Processing uploaded documents | Consent (explicit) |

| Payment processing | Contractual necessity |

| Security, fraud prevention | Legitimate interest |

| Legal compliance | Legal obligation |

| Marketing communications | Consent (opt-in only) |

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

---

4. How We Use Your Data

We use your data to:

1. Provide the Service — Generate AI-powered insurance advice, policy analysis, and recommendations

2. Authenticate you — Verify your identity via OTP (email or SMS)

3. Personalise your experience — Remember your insurance profile and conversation history

4. Process payments — Handle subscription purchases via Razorpay

5. Send important notifications — Policy renewal reminders, claim status updates (if you opt in)

6. Improve the Service — Aggregate, anonymised analytics to understand how features are used

7. Ensure security — Detect abuse, rate-limit requests, prevent fraud

8. Comply with law — Respond to legal obligations, court orders, regulatory requests

9. Customer support — Resolve your queries and complaints

We do not use your data for:

• Selling to third-party advertisers

• Building advertising profiles

• Training AI models on your private data without explicit consent

• Any purpose not listed in this policy

---

5. Data Sharing

We share your data only with:

5.1 AI Processing Providers

Your queries and (if uploaded) document content are sent to AI model providers to generate responses:

• **Anthropic** (Claude) — [Anthropic Privacy Policy](https://www.anthropic.com/privacy)

• **OpenAI** (GPT models, if selected) — [OpenAI Privacy Policy](https://openai.com/privacy)

• **Google** (Gemini, if selected)

• **Groq, Mistral, Cohere, DeepSeek** (if selected)

You choose which AI model processes your query. Each provider's DPA governs their handling of data.

5.2 Payment Processor

Razorpay Financial Solutions Pvt. Ltd. processes all payments. We share only the minimum data needed to create and verify a payment order.

5.3 Email Service Provider

We use an SMTP provider (Brevo/Sendinblue or similar) to send transactional emails (OTP codes, renewal reminders). They process your email address.

5.4 SMS Provider

MSG91 is used to send SMS OTPs. Your phone number is transmitted to MSG91 for delivery. MSG91 is bound by India's telecom regulations.

5.5 Infrastructure

We may use cloud hosting providers (e.g., AWS, GCP, Azure, or Indian data centres) to store data securely.

5.6 Legal Requirements

We will disclose your data if required to by:

• A valid court order or judicial process

• Government or regulatory authority under applicable Indian law

• IRDAI or other financial regulators

We will notify you of any such disclosure to the extent legally permitted.

We do not sell your personal data to any third party.

---

6. Data Retention

| Data Type | Retention Period |

|-----------|-----------------|

| Account information | Until account deletion + 30 days |

| Conversation history | Until you delete it, or 2 years of inactivity |

| Uploaded document OCR text | Per conversation — deleted when conversation is deleted |

| Payment records | 7 years (statutory requirement for financial records) |

| OTP codes | 10 minutes (then marked used/expired) |

| Session tokens | 30 days, or until logout |

| Support tickets | 1 year after resolution |

| Server logs (IP, timestamps) | 90 days |

---

7. Your Rights (DPDPA 2023 — Data Principal Rights)

As an Indian data principal, you have the following rights:

1. Right to Access — Know what personal data we hold about you

2. Right to Correction — Correct inaccurate or incomplete personal data

3. Right to Erasure — Request deletion of your personal data (subject to legal obligations)

4. Right to Grievance Redressal — File a complaint with our Grievance Officer

5. Right to Nominate — Nominate a person to exercise your rights in case of death or incapacity

To exercise any of these rights, email privacy@insuranceguru.in with the subject "Privacy Rights Request" and your registered email/phone. We will respond within 30 days.

If you are unsatisfied with our response, you may appeal to the Data Protection Board of India once constituted under the DPDPA 2023.

---

8. Children's Privacy

Our Service is not directed to persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at privacy@insuranceguru.in.

---

9. Data Security

We implement the following security measures:

• **Encryption in transit:** All data is transmitted over TLS 1.2+

• **Encryption at rest:** Database files are encrypted

• **Authentication:** OTP-based login — no passwords stored

• **Rate limiting:** Protects against brute-force and abuse

• **Session security:** Tokens expire after 30 days; revocable by you

• **Access control:** Employees access data only as needed for their role

• **Vulnerability management:** Regular security reviews

Despite these measures, no system is 100% secure. In the event of a data breach that poses a high risk to you, we will notify you within the time frames required by applicable law.

---

10. Cookies and Local Storage

We use browser local storage (not third-party cookies) to:

• Keep you logged in (session token)

• Store your AI model preference

• Store your theme and language settings

We do not use tracking cookies, advertising cookies, or third-party analytics scripts.

---

11. Insurance-Specific Disclosures

Not an Insurance Intermediary: InsuranceGuru is an AI-powered information and advisory platform. We are not an IRDAI-licensed insurance agent, broker, or web aggregator. We do not sell insurance policies. We do not receive commissions from insurers.

Any product recommendations are informational only. Purchase decisions must be made with an IRDAI-licensed advisor or directly with the insurer.

Health Data: If you share health information (pre-existing conditions, medical history) to get insurance advice, this data is treated as sensitive personal data under the DPDPA 2023 and IT (Sensitive Personal Data) Rules 2011. It is processed only with your consent and only to provide the requested advice.

---

12. Cross-Border Data Transfers

Some AI providers (e.g., Anthropic, OpenAI) process data in the United States or other countries. Where such transfers occur, we rely on the terms of service and data processing agreements with those providers.

India's DPDPA 2023 provides for transfer of personal data to countries notified by the Central Government. Until such notification, we note that AI query data may be processed outside India. By using AI-powered features, you consent to this processing.

---

13. Changes to This Policy

We will notify you of material changes at least 30 days in advance via email and in-app notice. The "Last Revised" date at the top of this page will always reflect the current version.

---

14. Grievance Officer

In accordance with the DPDPA 2023 and the IT Act 2000:

Grievance Officer

[Name]

InsuranceGuru

Email: grievance@insuranceguru.in

Response time: Within 30 days of receipt of complaint

---

15. Contact Us

Privacy Team

InsuranceGuru

Email: privacy@insuranceguru.in

Address: [Registered Address, India]

---

This policy is governed by Indian law. Any disputes shall be subject to the jurisdiction of courts in [City], India.