Privacy Policy

1. Introduction & Data Fiduciary Statement

Humrah operates a real-world companion booking platform that enables users to arrange in-person meetups at public locations. This Privacy Policy describes how Humrah collects, uses, stores, shares, and protects personal data, and explains the rights available to users.

By registering an account or using the Humrah platform, you provide your informed and explicit consent to the collection and processing of your personal data as described in this policy. You may withdraw consent at any time as described in Section 11. Withdrawal of consent may limit or terminate your ability to use the platform.

This policy applies to all users accessing Humrah via the mobile application (Android or iOS) or any related service. It is governed primarily by the DPDP Act, 2023 and applicable rules thereunder. Users are encouraged to read this policy in full before using the platform.

2. Information We Collect

Humrah collects personal data that is necessary to provide the service. Data collection is limited to what is required for the purposes described in this policy.

Account Information

• Email Address: Required for account creation and authentication.
• Profile Information: Name, age (declared as 18+), gender, bio, and interests.
• Profile Photos: Images uploaded by the user for display on the profile.
• Phone Number: Optional, collected only if provided for enhanced account security.

Biometric Verification Data

• Verification Video: A short video recording submitted during the identity verification process. Stored temporarily and deleted within 48 hours of processing.
• Face Embeddings: Mathematical numerical representations derived from the verification video. These are not images and cannot be reverse-engineered to reconstruct a photograph. Classified and treated as biometric personal data.
• Verification Records: Status logs indicating whether verification was completed, failed, or is pending.

Location Information

• Approximate Location: City-level or neighborhood-level location, derived from IP address or coarse device permissions. Required for user matching.
• Precise GPS Coordinates: Collected only when the user explicitly grants precise location permission and actively uses location-based features. This permission can be revoked at any time through device settings.
• Meetup Location: Public place address selected by the user for a booking. Shared only with the matched companion for that specific booking.

Usage and Technical Data

• Device Information: Device model, operating system version, and application version.
• IP Address: Collected for fraud prevention and security monitoring purposes.
• Log Data: Records of in-app interactions and timestamps, used for service maintenance and security auditing.

Communication Data

• In-App Messages: Messages exchanged between users within the Humrah platform.
• Support Communications: Records of interactions with Humrah's customer support team.
• Ratings and Feedback: Post-meetup reviews and ratings submitted about other users.

3. Legal Basis for Processing

Humrah processes personal data on the basis of explicit, informed consent obtained from each user at the time of registration. Users are presented with a clear description of data collection and processing purposes before they create an account. Consent is recorded and timestamped.

Certain data processing activities are also carried out on the basis of legitimate legal obligations, including compliance with applicable Indian law, court orders, and regulatory directions from competent authorities.

Humrah does not process personal data for purposes beyond those described in this policy without obtaining fresh consent from the user.

4. How We Use Your Information

Personal data collected by Humrah is used exclusively for the following defined purposes. Data is not processed in any manner incompatible with these stated purposes.

Core Service Delivery

• Creating and managing user accounts.
• Verifying user identity and preventing the creation of fraudulent or duplicate accounts.
• Matching users with compatible companions based on location and preferences.
• Enabling in-app messaging between matched users.
• Processing and confirming booking arrangements.

Safety and Security

• Detecting and preventing duplicate account creation by banned users.
• Identifying and preventing fraud, spam, impersonation, and platform abuse.
• Enforcing the Humrah Terms of Service and Community Guidelines.
• Investigating reported misconduct or safety incidents.

Service Improvement

• Analyzing aggregated or anonymized usage patterns to improve service performance.
• Developing and testing new features.
• Optimizing matching logic and recommendation systems.
• Identifying and resolving technical issues and bugs.

Legal Compliance

• Complying with applicable Indian law, including the DPDP Act, 2023.
• Responding to lawful requests from courts, government authorities, or law enforcement agencies.
• Maintaining records necessary to demonstrate regulatory compliance.

Humrah does not use personal data for advertising profiling, behavioral marketing, or for sale to third parties.

5. Face Verification & Biometric Data

What Is Collected

• Verification Video: A short video recording in which the user performs a liveness detection action. This video is used solely to generate the face embedding and is deleted within 48 hours of processing.
• Face Embedding: A mathematical numerical representation derived from the verification video. This is classified as biometric personal data and is treated accordingly.

What Face Embeddings Are — and Are Not

Face embeddings are arrays of numbers produced by a machine-learning model applied to facial geometry. They are not photographs or images. They cannot be converted back into a recognizable image of the user. They are not used to identify users outside the Humrah platform and cannot be used for facial recognition in any external system. Their sole function is to compute a similarity score between two embeddings for the purpose of detecting whether the same person has previously created an account on Humrah.

How Face Verification Works

1. The user records a short liveness verification video within the app after providing explicit consent.
2. The system processes the video to confirm the presence of a real, live person (liveness check).
3. A unique face embedding is generated from the video.
4. The embedding is compared against Humrah's internal database to detect whether an account associated with the same face already exists.
5. The original verification video is permanently deleted within 48 hours of processing.
6. The face embedding is retained in encrypted form for the duration of the account and for 30 days following account deletion.

Purpose Limitation

Face embeddings are used solely for the following purposes:

• Detecting and preventing duplicate or fraudulent account creation.
• Preventing previously banned users from re-registering on the platform.
• Confirming that the account holder is a real person (liveness detection).

Face embeddings are not used for age verification, identity authentication beyond the purposes above, marketing, research, or any purpose outside those listed here.

Automated Decision-Making

The comparison of face embeddings against the database is performed through an automated process. This process may result in an automated decision to flag or reject an account registration if a duplicate is detected. If your account registration is rejected or suspended as a result of this automated process, you have the right to request human review of that decision.

Human Review and Appeal

If you believe that an automated face verification decision has been made in error — for example, if your account has been flagged or rejected incorrectly — you may submit an appeal by contacting the Grievance Officer at the details listed in Section 16. Humrah will conduct a manual review of the flagged decision and respond within 15 business days. During this period, the account will remain suspended pending the outcome of the review.

Explicit Consent for Biometric Processing

Before any biometric data is collected, users are presented with a dedicated consent screen within the application that explains: (a) what biometric data will be collected; (b) the specific purpose for which it will be used; (c) the retention period; and (d) the right to withdraw consent and the consequences of doing so. Consent is recorded with a timestamp. If you do not provide this consent, account activation will not be possible, as face verification is a mandatory security requirement of the platform.

Retention Minimization

• Verification videos are deleted within 48 hours of processing.
• Face embeddings are retained for the duration of the active account and for 30 days following account deletion, after which they are permanently deleted.
• No biometric data is retained beyond the periods described above.

6. Location Data

Approximate Location (Required)

• What is collected: City-level or neighborhood-level location.
• How it is collected: Derived from IP address or coarse device location permission.
• Purpose: To match users with companions located in a similar area.
• Precision: Not precise enough to identify a user's home address, workplace, or specific movements.

Precise GPS Location (Optional)

• What is collected: GPS coordinates when the user is actively using location-based features.
• How it is collected: Only when the user explicitly grants precise location permission through the device operating system prompt.
• Purpose: To assist in identifying nearby public places suitable for meetups.
• User control: This permission can be revoked at any time through the device's operating system settings. Revoking this permission will disable location-dependent features but will not affect other aspects of the service.

Meetup Location

• When a booking is confirmed, the public place address selected by the user is shared with the matched companion for the purpose of facilitating the meetup.
• This information is limited to the specific booking and is not made visible to other users of the platform.

7. Offline Meetings & Safety

Humrah is a communication and coordination platform. It enables users to identify potential companions and arrange to meet in person at public locations. Humrah does not organize, supervise, or participate in any offline meeting between users.

Platform Role and Limitations

The Humrah platform facilitates communication between users and assists in suggesting public places for meetups. Once a booking is confirmed, the actual meeting occurs independently and entirely outside the control of Humrah. Humrah does not verify the real-time identity, location, or conduct of any user during an offline meeting.

User Responsibility

Users are solely responsible for their personal safety when meeting another user offline. Users are advised to:

• Meet only in well-lit, populated public locations.
• Inform a trusted person of the meeting details before attending.
• Trust their own judgment and leave any situation that feels unsafe.
• Not share personal contact information (home address, personal phone number) with other users unless they choose to do so independently.

Safety Disclaimer

Humrah does not guarantee the behavior, character, or intentions of any user on the platform. The platform's verification mechanisms reduce the risk of fake or duplicate accounts but do not constitute a guarantee of safety. Humrah is not liable for any harm, loss, or injury arising from offline interactions between users.

Reporting and Moderation

Users may report concerns about another user's conduct directly within the application using the report function available on any user profile or booking page. Reports are reviewed by the Humrah moderation team. Where a reported user is found to have violated the Community Guidelines or Terms of Service, Humrah may suspend or permanently remove their account. Users may also contact the Grievance Officer at the details listed in Section 16 for urgent safety concerns.

8. Data Sharing & Third-Party Processors

No Sale of Personal Data

Humrah does not sell, rent, license, or trade personal data to any third party for marketing, advertising, or commercial purposes.

Data Shared With Other Users (Limited)

The following information is made visible to other users on the platform for the purpose of enabling the service:

• Display name, declared age, profile photos, bio, and stated interests — visible to potential matches.
• General approximate location (city or area) — used to indicate proximity to potential matches.
• Meetup location — shared only with the specific companion confirmed for a booking.

The following information is never shared with other users: email address, phone number, precise GPS coordinates, face embeddings, IP address, and device identifiers.

Third-Party Data Processors

Humrah engages third-party service providers who process personal data on Humrah's behalf, acting as data processors. These providers are contractually bound to process data only on Humrah's documented instructions and in accordance with applicable data protection law. Humrah does not authorise processors to use personal data for their own purposes.

Current processors include:

• Cloudinary: Cloud-based storage and delivery of profile images.
• Firebase (Google): Authentication infrastructure, real-time database, and application analytics.
• Email Service Provider: Delivery of OTP codes and service notifications. The specific provider may vary and is subject to change with advance notice to users where material.

Cross-Border Data Transfers

Some of Humrah's third-party processors may store or process data on servers located outside India. Where this occurs, Humrah ensures that appropriate contractual safeguards are in place, including standard data protection clauses requiring processors to maintain equivalent levels of protection to those required under Indian law. Users are informed of the possibility of cross-border processing through this policy and consent to it as part of account registration.

Legal Disclosures

Humrah may disclose personal data when required to do so by law. This includes:

• Compliance with court orders, judicial directions, or other legally binding instruments.
• Responses to lawful requests from competent law enforcement or regulatory authorities.
• Investigation and prevention of fraud, illegal activity, or serious harm to users or third parties.
• Protection of the legal rights or safety of Humrah, its users, or the public.

Where permitted by law, Humrah will notify affected users of any such disclosure.

9. Data Retention & Storage

Humrah retains personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. The following retention periods apply:

Active Account Data

• Profile information (name, bio, photos, interests): Retained for the duration of the active account.
• Face embeddings: Retained for the duration of the active account and for 30 days following account deletion.
• In-app messages: Retained for 90 days from the date of the message, then permanently deleted.
• Booking history: Retained for 12 months from the date of the booking.
• Usage and log data: Retained for 180 days, then deleted.

Temporary and Verification Data

• Verification video recordings: Deleted within 48 hours of processing. Not retained beyond this period under any circumstances.
• Session data: Deleted upon logout or after 30 days of inactivity, whichever occurs first.
• OTP and authentication tokens: Invalidated immediately after use or upon expiry.

Deleted Account Data

Upon account deletion, the following deletion schedule applies:

• Immediate (within 24 hours): Account deactivated, profile removed from visibility on the platform.
• Within 48 hours: Profile photos permanently deleted from storage.
• Within 7 days: In-app messages permanently deleted.
• Within 30 days: Face embeddings permanently deleted.
• Within 90 days: Booking history, email address, and device identifiers permanently deleted.

Security Logs and Legal Hold Data

• Security and fraud logs (IP address, device fingerprints): Retained for up to 180 days for fraud investigation and platform security purposes, then deleted.
• Data subject to a legal hold or law enforcement request: Retained for the duration required by the applicable legal obligation, regardless of the standard retention periods above. Users will be informed of any such hold to the extent permitted by law.

Backups

Humrah maintains encrypted system backups for disaster recovery purposes. Backup data is overwritten or purged on a rolling cycle not exceeding 90 days. Deleted personal data will be removed from active systems within the timelines above and from backup systems within the applicable backup cycle.

10. Your Rights Under the DPDP Act, 2023

Under the Digital Personal Data Protection Act, 2023, and associated regulations, users have the following rights in relation to their personal data processed by Humrah:

Right to Access

You may request a summary of the personal data Humrah holds about you and information about the purposes for which it has been processed. Humrah will respond to access requests within 30 days.

Right to Correction and Erasure

You may request correction of inaccurate or incomplete personal data. You may also request erasure of personal data where it is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent. Humrah will action verified correction and erasure requests within 30 days.

Right to Grievance Redressal

You have the right to submit a grievance to Humrah's Grievance Officer and to receive a response within the timelines described in Section 16. If the grievance is not resolved to your satisfaction, you may escalate the matter to the Data Protection Board of India, once constituted under the DPDP Act.

Right to Nominate

You may nominate another individual to exercise data rights on your behalf in the event of your death or incapacity, in accordance with the provisions of the DPDP Act, 2023.

Right to Data Portability

You may request a copy of your personal data in a structured, machine-readable format (JSON or CSV), to the extent technically practicable for the categories of data Humrah holds.

Right to Object to Automated Decisions

Where a significant decision affecting your account — including account suspension or rejection — has been made by automated means (including face embedding comparison), you have the right to request human review of that decision. See Section 5 for the appeal process applicable to face verification decisions.

How to Exercise Your Rights

1. Submit your request by email to support@humrah.in from your registered email address.
2. Include your full name, registered email address, and a clear description of the right you wish to exercise.
3. Humrah may request identity verification before processing the request.
4. Humrah will respond within 30 days of receiving a complete, verifiable request.

11. Withdrawing Consent

You have the right to withdraw your consent to the processing of your personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Effect of Withdrawal

Because Humrah's service is entirely consent-based and relies on the processing described in this policy to function, withdrawal of consent will result in the following:

• Your account will be deactivated and made invisible to other users.
• Your personal data will be deleted in accordance with the timelines in Section 9.
• You will no longer be able to use the Humrah platform.

Withdrawal of consent from biometric data processing specifically will require account termination, as face verification is a mandatory component of the service.

How to Withdraw Consent

To withdraw consent, you may:

1. Delete your account through the in-app process described in Section 12; or
2. Send a written withdrawal request to support@humrah.in from your registered email address, with the subject line "Consent Withdrawal Request".

Humrah will process withdrawal requests within 7 business days of verification.

12. Data Deletion Requests

In-App Deletion

1. Open the Humrah application.
2. Navigate to Settings → Account Settings.
3. Select "Delete Account".
4. Review the deletion notice explaining what data will be deleted and when.
5. Confirm the deletion by entering your password or a one-time passcode (OTP).

Email Deletion Request

If you are unable to access the application:

1. Send an email to support@humrah.in from your registered email address.
2. Use the subject line: "Account Deletion Request".
3. Include your full name and any other information reasonably required to verify your identity.
4. Humrah will process the request within 7 business days of identity verification.

Deletion Timeline

• Within 24 hours: Account deactivated, profile removed from all visible listings.
• Within 48 hours: Profile photos deleted from cloud storage.
• Within 7 days: In-app messages deleted.
• Within 30 days: Face embeddings permanently deleted.
• Within 90 days: Booking history, email address, and device identifiers deleted from active systems.
• Within one backup cycle (not exceeding 90 days): Personal data purged from backup systems.

13. Data Security

Technical Safeguards

• Encryption in Transit: All data transmitted between the user's device and Humrah's servers is encrypted using TLS/SSL protocols.
• Encryption at Rest: Data stored on Humrah's servers and those of its processors is encrypted using AES-256 or equivalent standards.
• Database Security: Databases are protected by firewalls and access controls. Administrative access is restricted on a need-to-know basis.
• Biometric Data Security: Face embeddings are stored in an encrypted format in a segregated data store with restricted access.
• Authentication: OTP-based login reduces the risk of unauthorised account access.
• Security Reviews: Humrah conducts periodic security assessments of its infrastructure and third-party processors.

User Responsibilities

• Keep your device, operating system, and the Humrah application updated to the latest version.
• Do not share OTP codes with any other person.
• Use a secure and private email account for your Humrah registration.
• Report any suspicious activity or unauthorised access to support@humrah.in promptly.

14. Children's Privacy

Age Declaration

During account registration, users are required to declare that they are 18 years of age or older. This is a declaration-based confirmation. Humrah does not use face verification technology as a means to determine or verify a user's age; face verification is used solely for duplicate detection and fraud prevention as described in Section 5.

Discovery of Underage Users

If Humrah discovers or receives a credible report that a user is under the age of 18:

• The account will be immediately suspended pending investigation.
• All personal data associated with the account will be permanently deleted within 7 days.
• Steps will be taken to prevent re-registration by the same individual.

Parental or Guardian Reports

If you are a parent or legal guardian and have reason to believe that a minor has created a Humrah account, contact Humrah immediately at support@humrah.in with the subject line "Underage User Report". Include relevant details to assist investigation. Humrah will investigate and respond within 5 business days.

15. Changes to This Policy

When and Why This Policy May Change

Humrah may update this Privacy Policy from time to time to reflect changes in applicable law, regulatory guidance, service features, or data practices. The "Last Updated" date at the top of the policy will be revised with each update.

Material Changes

Where changes are material — meaning they alter how personal data is collected, used, shared, or the rights available to users — Humrah will notify users through the following means:

• An email notification sent to the registered email address.
• An in-app notification displayed upon next login.
• Where required by law, fresh consent will be sought before the changes take effect.

Minor Changes

Non-material changes — such as corrections to language, formatting, or clarifications that do not alter the substance of the policy — will be reflected in the updated document without individual notification. Users are encouraged to review this policy periodically.

Disagreement with Changes

If you do not accept a material change to this policy, you may delete your account before the effective date of the change. Continued use of the platform after the effective date of a material change constitutes acceptance of the updated policy.

16. Grievance Officer

In accordance with the Digital Personal Data Protection Act, 2023, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Humrah has designated a Grievance Officer to address privacy-related complaints and concerns raised by users.

Grievance Officer Details

• Name: [Grievance Officer Name — To Be Designated]
• Title: Grievance Officer, Humrah
• Email: grievance@humrah.in
• Address: Delhi, India
• Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST (excluding public holidays)

How to Submit a Grievance

1. Send an email to grievance@humrah.in from your registered email address.
2. Include your full name and a clear description of your grievance.
3. Attach any relevant supporting documentation.

Response Timeline

The Grievance Officer will acknowledge receipt of the complaint within 48 hours and provide a substantive response or resolution within 15 business days of receipt of a complete complaint.

Escalation

If your grievance is not resolved to your satisfaction within the timelines above, you may escalate the matter to the Data Protection Board of India, once it has been constituted and made operational under the DPDP Act, 2023. Information on how to approach the Board will be published by the Government of India and updated here as applicable.

Summary of Key Legal Revisions (For Internal Reference)

The following material legal deficiencies were identified and corrected in this revised policy:

• Added explicit Data Fiduciary declaration as required under the DPDP Act, 2023.
• Established lawful basis of processing as explicit consent; added consent withdrawal mechanism and consequences.
• Added mandatory Grievance Officer section with name placeholder, contact details, and response timelines.
• Reclassified face embeddings as biometric personal data; added dedicated consent step, purpose limitation, automated decision-making disclosure, and human review appeal process.
• Removed legally incorrect claim that face verification verifies user age; replaced with declaration-based age confirmation.
• Added clarification that face embeddings cannot identify users outside the Humrah platform.
• Added offline meeting liability disclaimer and user safety responsibilities section.
• Added reporting and moderation process for user safety concerns.
• Identified third-party service providers as data processors bound by contractual safeguards.
• Added cross-border data transfer disclosure and contractual safeguard commitment.
• Rewrote retention section into four clear categories (active account, temporary/verification, deleted account, security logs and backups) with no contradictions.
• Added backup data purge timeline to address gap between active deletion and backup systems.
• Listed full DPDP Act user rights including right to nominate, right to grievance redressal, and right to object to automated decisions.
• Removed marketing language, emotional phrasing, and factually unsupported assurances throughout the document.