Privacy Policy

MaaPura ("MaaPura", "we", "us", "our") is a village operating system developed and operated by Igniting Minds Organisation (a Section 8 non-profit company registered in India, having its principal office at Hyderabad, Telangana, India). MaaPura is a citizen-led platform that connects rural residents, non-resident villagers (NRVs), village administrators, artisans, donors and CSR partners across 16 village modules including Citizen Registry, GramaShoppe, GramaDaan, GramaPartner, Blood Registry, Elderly Care, Grievance Redressal, Schemes Navigator, Family Tree and others.

This Privacy Policy explains what data we collect when you use our web, mobile and SMS interfaces, how we use it, with whom we share it, and the rights you have under the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable Indian laws. By creating an account or completing KYC on MaaPura you confirm that you have read, understood and consented to this Policy.

We collect only the personal data that is necessary for the lawful purposes described in Section 3. The categories of data we collect are:

• Account data — phone number (mandatory for OTP-based login), email address (optional, required for some receipts and 80G certificates), preferred language and full name as you provide it.
• Citizen Registry data — name, gender, date of birth, ward / habitation, family relationships (father, mother, spouse, household), residence status (resident / NRV / migrated), occupation, education and similar demographic fields you choose to share for participation in village schemes and services.
• KYC documents — Aadhaar number (stored only as a SHA-256 hash; the plaintext number is never persisted to our database), photographs of supporting documents, and a live selfie. KYC document images are deleted from our object storage within 48 hours of verification (see Section 6).
• Sensitive health data — vitals (BP, blood sugar, weight), chronic conditions, medications, blood group and disability status. These fields are field-level encryptedat rest and accessible only with your express consent (see Section 7).
• Financial data — bank account or UPI VPA (for artisan payouts and donation refunds), donation history and order history. These fields are field-level encrypted.
• Location data — coarse village-level location (mandatory for village isolation enforcement) and optional precise GPS coordinates that you may submit with grievances, tree-plant activities or community events.
• Device and usage data — IP address, device model, operating system version, app version, language settings, FCM push-notification token (only if you install our mobile app and grant push permission) and standard server logs (timestamps, request IDs, request paths). We do not use third-party advertising trackers.
• Communications — messages you send to our support and grievance channels (email, WhatsApp business, in-app inbox).

Where a data field is encrypted at rest, this is enforced by application-level encryption using the platform's ENCRYPTION_KEY in addition to the underlying database encryption. Encryption is described further in Section 4.

The personal data described above is used only for the following specified purposes:

• To operate the 16 MaaPura modules you choose to engage with (Citizen Registry, GramaShoppe marketplace, GramaDaan donations, GramaPartner CSR, Blood Registry, Elderly Care, Schemes Navigator, Family Tree, Grievance Redressal, etc.).
• To perform KYC verification and prevent identity fraud and impersonation.
• To match you with central- and state-government schemes for which you are eligible.
• To deliver order receipts, donation 80G certificates, KYC status updates, grievance acknowledgements, scheme matches, blood-request alerts, event reminders and similar service communications via email, SMS, WhatsApp business and in-app FCM push notifications.
• To compute the Village Liveability Index (LVI) and Data Quality Score (DQS) using aggregated, de-identified village-level statistics — never individual records.
• To detect, prevent and respond to security incidents, fraud, abuse and policy violations.
• To comply with our legal obligations under Indian law, including responding to lawful requests from competent government authorities.

We do not sell or rent your personal data to any third party. We do not use your data for targeted advertising. We do not feed your data into third-party AI training datasets.

In accordance with Section 8 of the DPDPA (reasonable security safeguards), we apply the following technical measures to your personal data:

• Aadhaar — hash-only storage. When you submit your Aadhaar number for KYC, we compute a one-way SHA-256 hash and store only that hash. The plaintext Aadhaar number is never written to our database, never logged and never returned in API responses.
• Health fields (vitals, conditions, medications, blood group, disability status) are field-level encrypted at rest using AES-256.
• Financial fields (bank account, UPI VPA, IFSC) are also field-level encrypted at rest.
• Transport security. All traffic between your device and our servers uses TLS 1.2 or higher. Our public domains enforce HSTS.
• Access control. Backend access is gated by a six-level role-based access control hierarchy (village_resident → village_nrv → village_admin → block_admin → state_admin → super_admin) and a village-isolation middleware that prevents cross-village data leakage.

We share your personal data only in the narrow circumstances permitted by Section 6 of the DPDPA (consent and specified legitimate uses):

• Village officials. Authorised Gram Panchayat administrators of your village can view records of citizens in their village for the limited purpose of village administration. Officials of other villages cannot see your data.
• NRV family. Your linked non-resident village (NRV) children can see your health information only if you have explicitly enabled both the "NRV family view" consent and the "Health" consent in your Citizen Profile. Either consent can be withdrawn at any time.
• Payment processors. When you place an order or make a donation we share the minimum data required to process payment (name, email, phone, amount) with Razorpay Software Private Limited.
• Service providers. Email delivery (Amazon SES / Nodemailer-compatible SMTP), transactional SMS (MSG91), push notifications (Firebase Cloud Messaging) and cloud object storage (Amazon S3, Mumbai region) are operated by third-party sub-processors under contractual data-protection commitments.
• Legal requests. We disclose data when required to do so by a lawful order from a competent authority, after verifying the request's authenticity.

We never share, sell, rent or licence your data for marketing or advertising purposes.

Consistent with Section 17 of the DPDPA, personal data is retained only for as long as it is required for the purpose for which it was collected:

• KYC documents — auto-deleted from object storage 48 hours after KYC verification or rejection.
• Citizen records — retained while your account is active and you continue to participate in your village.
• Order & donation records — retained for at least 8 financial years to meet the record-keeping obligations under the Income-Tax Act, 1961 and Section 80G compliance.
• Server logs — retained for up to 90 days for security and operational diagnostics, then deleted or anonymised.
• Withdrawn-consent fields — when you withdraw a specific field-level consent, the linked field is purged within 30 days.
• Account deletion on request — you may request hard deletion of your account at any time by emailing dpo@maapura.org; subject to overriding legal obligations (such as the 80G retention window), we will erase or fully anonymise your data within 30 days of verifying your identity.

As a Data Principal, you have the following statutory rights:

• Right to confirmation and access (§11): obtain a summary of the personal data we process about you.
• Right to correction and erasure (§12): correct inaccurate or incomplete data and request deletion when the data is no longer required.
• Right to grievance redressal (§13): raise a grievance with our Grievance Officer (see Section 12).
• Right to nominate (§14): nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent: any consent you provide is granular (per-field) and can be withdrawn at any time from your Citizen Profile → Settings. Withdrawal does not affect lawful processing already performed.

To exercise any of these rights, write to dpo@maapura.org. We will respond within 30 days. If you are dissatisfied with our response, you have the right to escalate to the Data Protection Board of India.

MaaPura is intended for users aged 18 and above. We do not knowingly process personal data of children under 18 without verifiable parental or lawful-guardian consent. Where a citizen record for a minor is created (for instance, by their guardian for the purpose of school enrolment or scheme eligibility), processing is limited to the minor's lawful interest and no behavioural tracking, targeted advertising or detrimental processing is performed, as required by Section 9 of the DPDPA.

MaaPura's primary data centres and object storage are in India (Amazon Web Services, Mumbai region). In a small number of operational scenarios — for instance, certain transactional email delivery or push-notification routing — your data may transit through service-provider infrastructure outside India. In all such cases the sub-processor is bound by contractual data-protection obligations and we comply with the cross-border transfer rules issued under Section 16 of the DPDPA. We will update this Section if the Government of India notifies a restricted-countries list.

We implement the following technical and organisational security safeguards:

• TLS 1.2+ for all network traffic; HSTS enforced on production domains.
• Field-level encryption (AES-256) for health and financial fields.
• SHA-256 one-way hashing for Aadhaar numbers (plaintext never stored).
• Role-based access control (6 levels) and village isolation middleware enforced on every database query.
• Rate limiting on authentication, OTP and upload endpoints.
• NoSQL-injection sanitisation and HTTP parameter pollution protection on every API call.
• Sentry-based error monitoring with personal data scrubbing.
• Daily backups with 30-day retention; backups are encrypted.

While we follow industry best practices, no system on the public internet is perfectly secure. If we discover a personal-data breach that is likely to result in harm to you, we will notify you and the Data Protection Board of India in accordance with the DPDPA.

We use a single first-party HTTP-only session cookie named maapura_sessionthat stores your role, KYC status and Gram Panchayat code so that our Next.js Edge middleware can gate private routes. This cookie does not contain any directly-identifying information beyond what is necessary for access control.

We use Google Analytics 4 with anonymize_ip enabled for aggregated usage analytics. No identifying user IDs are sent to Google Analytics. You can opt out by installing a standard tracker-blocking browser extension or by enabling "Do Not Track" on your browser; MaaPura honours the DNT header for analytics.

We do not set advertising cookies. We do not embed third-party social-media tracking pixels.

In accordance with Section 10 of the DPDPA and Rule 5 of the Information Technology (Reasonable Security Practices) Rules, 2011, MaaPura has appointed a Grievance Officer who also acts as our Data Protection Officer (DPO):

We will acknowledge any grievance within 48 hours of receipt and resolve it within 30 days. If you remain dissatisfied, you may escalate to the Data Protection Board of India established under the DPDPA.

We may update this Privacy Policy from time to time. When we make material changes, we will (a) update the "Last updated" date at the top of this page, and (b) notify active users via in-app notification and (where you have provided one) email, at least 14 days before the change takes effect. Continued use of MaaPura after the effective date constitutes acceptance of the revised Policy.

For any questions about this Privacy Policy or about how your data is handled:

• General privacy enquiries — dpo@maapura.org
• Operational support — support@maapura.org
• Postal — Igniting Minds Organisation, Hyderabad, Telangana, India.