Privacy Policy

1. Identity of Data Fiduciary

Under the Digital Personal Data Protection Act, 2023, Senduta acts as the Data Fiduciary — the entity that determines the purpose and means of processing personal data.

2. Personal Data We Collect

We collect the following categories of personal data as defined under the DPDP Act, 2023 and SPDI Rules, 2011:

General Personal Data:

• Full name and email address (provided at registration)
• Authentication credentials (stored as bcrypt hashes — passwords are never stored in plain text)
• Google OAuth profile data (if you sign in with Google)

Sensitive Personal Data or Information (SPDI) under Rule 3 of the SPDI Rules:

• Passwords (hashed and not reversible)
• Financial information processed during payment (handled by RBI-compliant payment processors; not stored on Senduta servers)

Delivery & Access Data:

• IP addresses of document access events
• Device type, user agent, and browser information
• Geographic location (country and city, derived from IP)
• Timestamps of all delivery events (sent, opened, downloaded)
• Recipient email addresses and names provided by senders

3. Lawful Basis & Consent (DPDP Act 2023)

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following lawful bases:

• Consent (Section 6, DPDP Act): By registering and using Senduta, you provide free, specific, informed, and unambiguous consent to the processing of your personal data as described in this Policy.
• Legitimate Use (Section 7, DPDP Act): Processing necessary for the performance of the contract between you and Senduta, including delivery tracking, audit trail generation, and OTP verification.
• Legal Obligation: Processing required to comply with applicable Indian laws, including requests from courts or government authorities.

You may withdraw consent at any time by deleting your account. Withdrawal of consent will result in termination of the Service for your account.

4. Purpose of Processing

Your personal data is processed solely for the following specified purposes:

• Account creation, authentication, and management
• Generation and delivery of secure document links
• Email OTP verification for recipient identity
• Recording and displaying delivery audit trails
• Generation of delivery certificates and access reports
• Sending transactional notifications (delivery, access alerts)
• Processing payments and issuing GST-compliant invoices
• Fraud prevention and platform security
• Compliance with legal obligations under Indian law

5. Access Logs as Core Service Data

Delivery tracking data — including recipient IP address, device, and access timestamps — constitutes the fundamental proof-of-delivery service offered by Senduta. This data is:

• Collected with notice to recipients through the recipient portal interface
• Accessible only to the document sender via their authenticated dashboard
• Included in delivery certificates as electronic records under Section 65B of the Indian Evidence Act, 1872
• Never shared with third parties except as required by law

6. AI Processing

When AI document analysis is enabled, text extracted from your documents is processed by Anthropic's Claude API. This constitutes cross-border data transfer. By enabling this feature, you consent to such transfer, which is governed by Anthropic's data processing terms.

Senduta does not use your document content to train AI models. You can disable AI analysis at any time per delivery. AI processing is subject to any cross-border transfer regulations that may be notified under the DPDP Act, 2023.

7. Data Localisation

Senduta stores data on infrastructure provided by Supabase (Amazon Web Services, Singapore region). We monitor developments in India's data localisation requirements under the DPDP Act, 2023 and will comply with any applicable data localisation directions issued by the Central Government.

8. Data Processors & Third Parties

We engage the following Data Processors (as defined under the DPDP Act, 2023) who process data solely on our instructions:

We do not sell, rent, or trade your personal data to any third party for commercial purposes.

9. Your Rights as Data Principal (DPDP Act 2023)

Under the Digital Personal Data Protection Act, 2023, you have the following rights as a Data Principal:

• Right to Access (Section 11): Obtain a summary of personal data being processed and the processing activities.
• Right to Correction & Erasure (Section 12): Request correction of inaccurate data and deletion of data no longer necessary for the specified purpose.
• Right to Grievance Redressal (Section 13): File a complaint with our Grievance Officer. If unresolved, escalate to the Data Protection Board of India once established.
• Right to Nominate (Section 14): Nominate an individual to exercise your rights in the event of death or incapacity.
• Right to Withdraw Consent: Withdraw consent at any time, subject to legal retention obligations.

Exercise your rights by contacting: privacy@senduta.com. We will respond within 30 days.

10. Security Practices (Section 43A, IT Act)

In compliance with Section 43A of the IT Act, 2000 and the SPDI Rules, 2011, we implement the following reasonable security practices:

• AES-256 encryption for stored files
• TLS 1.3 encryption for all data in transit
• bcrypt hashing (cost factor 10) for passwords
• SHA-256 file integrity verification
• Time-limited signed URLs for file downloads
• Row-level access controls preventing cross-user data access
• OTP-based identity verification for document access

In the event of a breach of SPDI, we shall notify affected users and take remedial steps as required under applicable law.

11. Data Retention

• Account data is retained for the duration of your account and deleted within 30 days of closure
• Delivery records and audit logs are retained for 3 years from the delivery date for legal compliance purposes
• OTP codes are deleted immediately upon use or expiry (10 minutes)
• Files are retained until deleted by the sender or the delivery expiry date, whichever is earlier
• Payment records are retained for 7 years as required under the Income Tax Act, 1961

12. Cookies & Tracking

Senduta uses only strictly necessary cookies for session management and authentication. We do not use advertising cookies, cross-site tracking, or third-party analytics. No profiling of users is conducted for commercial purposes.

13. Children's Privacy

Senduta is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. Under the DPDP Act, 2023, processing of personal data of children requires verifiable parental consent, which we do not currently support. If we become aware that a minor has registered, we will delete their account immediately.

14. Grievance Officer

As required under Rule 5(9) of the IT Intermediary Guidelines Rules, 2021 and the DPDP Act, 2023, our Grievance Officer is:

If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India (once constituted under the DPDP Act, 2023) or approach a consumer forum under the Consumer Protection Act, 2019.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or our practices. We will notify you of material changes via email at least 15 days prior to the effective date. The updated policy will be posted at senduta.com/privacy with the revised effective date.