Privacy Policy

Last Updated: July 2, 2026

This Privacy Policy describes how Manaspurti Technologies Private Limited ("Company," "we," "us," or "our") collects, uses, discloses, and safeguards your personal information when you use the DUIID platform (the "Service"). We are committed to protecting your privacy and complying with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and all applicable data protection laws of India.

By using the Service, you consent to the collection, use, and processing of your personal information as described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

Zero-Knowledge Commitment: DUIID uses client-side encryption for all Vault data (passwords, documents, credentials). Your encrypted data is stored on our servers, but only you hold the encryption key. We cannot read, decrypt, or access your Vault contents — even if compelled by law, the data we hold is cryptographically meaningless without your key.

1. Information We Collect

1.1 Information You Provide Directly

When you register and use the Service, we collect:

  • Account Information: Your name, email address, and Google profile photo (obtained via Google Sign-In).
  • Profile Information: Display name, bio, and avatar you choose to set within the Service.
  • Identity Information: Brand names, descriptions, and metadata you enter when creating digital identities.
  • Billing Information: Subscription plan, payment history, and transaction IDs processed via Razorpay. We do not store your full credit card number or banking details.
  • Support Communications: Emails, messages, and attachments you send to contact@duiid.com for support or inquiries.

1.2 Information Collected Automatically

When you access the Service, we automatically collect:

  • Usage Data: Pages visited, features used, time spent, actions taken, and error logs. This helps us improve the Service.
  • Device Information: Browser type, operating system, screen resolution, and device identifiers.
  • IP Address: Used for security, fraud prevention, and approximate geolocation for analytics.
  • Authentication Tokens: Firebase Auth tokens used to maintain your session securely.

1.3 Information Stored in the Vault (Zero-Knowledge)

The following categories of data are stored in your encrypted Vault. This data is encrypted client-side before transmission — meaning your browser or app encrypts the data using a key derived from your password, and only the encrypted ciphertext is sent to our servers. We never receive or store the plaintext version:

  • Passwords and login credentials for third-party accounts
  • Documents, PDFs, images, and other files uploaded to the Vault
  • Brand assets (logos, color palettes, font files) stored within an identity
  • API keys and secret tokens stored as credentials
  • Notes and text content within identity profiles
Because we cannot decrypt your Vault data: If you forget your password or lose your recovery key, we cannot recover or reset your Vault. All encrypted data would be permanently inaccessible. We strongly recommend storing your recovery key in a safe location.

1.4 Information from Third Parties

We may receive information from:

  • Google (Authentication): Your name, email, and profile photo when you sign in with Google.
  • Razorpay (Payments): Payment status, transaction ID, and subscription status. Razorpay handles all card/bank details directly.
  • Domain/Social APIs: Availability status for domain names and social media handles (we only send the name being checked, not your personal data).

2. How We Use Your Information

2.1 Service Delivery

  • To create and manage your account and authentication.
  • To store and retrieve your encrypted Vault data when you request it.
  • To process Subscription payments and allocate Credits.
  • To generate AI-powered brand names, logos, and brand kits based on your input.
  • To check domain and social handle availability for identities you create.
  • To enable team delegation and shared access features.

2.2 Communication

  • To send you service-related notifications (e.g., breach alerts, security updates).
  • To send billing receipts and subscription renewal notices.
  • To respond to your support requests and inquiries.
  • To notify you of changes to the Service, Terms, or this Privacy Policy.

2.3 Improvement & Security

  • To analyze usage patterns and improve the Service's features, performance, and user experience.
  • To detect, prevent, and respond to fraud, abuse, security incidents, and unauthorized access.
  • To comply with legal obligations and respond to lawful requests from authorities.
  • To monitor and enforce the Acceptable Use Policy defined in our Terms and Conditions.

2.4 What We Do NOT Do

We do NOT:
  • Sell your personal data to any third party, ever.
  • Use your Vault data for advertising or marketing purposes (we can\'t — it\'s encrypted).
  • Share your email with third-party marketers.
  • Train AI models on your private Vault content (AI features only process what you explicitly submit for generation).
  • Read your stored passwords, documents, or credentials (zero-knowledge encryption).

3. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share your information only in the following limited circumstances:

3.1 Service Providers

We use the following third-party service providers to operate the Service:

  1. Google Firebase: Authentication, Firestore database, Cloud Storage, Cloud Functions, and Hosting. Data is stored in the asia-south1 (Mumbai) region. Subject to Google\'s privacy policy.
  2. Razorpay: Payment processing. Razorpay collects and processes payment data directly — we only receive transaction status and IDs.
  3. OpenAI: AI generation for brand names, logos, and brand kits. Only the text prompt you submit for generation is sent to OpenAI — no Vault data is ever sent.
  4. Domain/Social APIs: Third-party APIs to check domain and social handle availability. Only the name being checked is transmitted.

3.2 Legal Compliance

We may disclose your information if required to do so by law, court order, or government directive. However, because Vault data is encrypted client-side, even if we are compelled to hand over data, we can only provide encrypted ciphertext that is meaningless without your encryption key. This is a fundamental privacy guarantee of the zero-knowledge architecture.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of the Company's assets, your information may be transferred to the acquiring entity. You will be notified via email before any such transfer occurs.

3.4 Consent

We may share your information with any other third party with your explicit, informed consent. You can withdraw consent at any time by contacting us at contact@duiid.com.

4. Data Retention

4.1 Active Accounts

We retain your personal information for as long as your account is active. Encrypted Vault data is retained for as long as your account exists, unless you manually delete specific items or your entire account.

4.2 Account Deletion

When you delete your account, the following happens:

  1. All encrypted Vault data is permanently deleted from our servers within 30 days.
  2. Your authentication credentials are revoked immediately.
  3. Your public profile is removed.
  4. All delegated access links are revoked.
  5. Subscription is cancelled and unused Credits are forfeited.

4.3 Legal Retention

Certain records may be retained beyond account deletion as required by Indian law:

  • Financial transaction records: up to 7 years (per Indian tax law).
  • Security incident logs: up to 3 years for audit and compliance.
  • Legal correspondence: until the matter is fully resolved.

5. Data Security

5.1 Encryption

  • In Transit: All data transmitted between your browser and our servers uses TLS 1.2+ encryption (HTTPS).
  • At Rest (Vault): Vault data is encrypted client-side using AES-256-GCM before transmission. The encryption key is derived from your password and never leaves your device in plaintext.
  • At Rest (Infrastructure): Firestore and Cloud Storage data are encrypted at rest by Google Firebase using AES-256.

5.2 Access Controls

  • Internal access to infrastructure is restricted to authorized personnel using role-based access control (RBAC).
  • All administrative access is logged and audited.
  • No employee has access to your Vault plaintext — the zero-knowledge architecture makes this technically impossible.
  • Multi-factor authentication (MFA) is enforced for all internal administrative accounts.

5.3 Security Headers

The Service enforces the following security headers via Firebase Hosting configuration:

  • Content-Security-Policy (CSP) to prevent cross-site scripting (XSS)
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY (prevents clickjacking)
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy (restricts camera, microphone, geolocation)

5.4 Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by the DPDP Act, 2023.

6. Your Data Protection Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian law, you have the following rights regarding your personal data:

  • Right to Access: You can request a copy of all personal data we hold about you (excluding Vault data, which we cannot decrypt).
  • Right to Correction: You can request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You can request deletion of your account and all associated personal data, subject to legal retention requirements.
  • Right to Data Portability: You can export your personal data in a machine-readable format (JSON or CSV).
  • Right to Withdraw Consent: You can withdraw consent for data processing at any time, which will result in account deletion.
  • Right to Grievance Redressal: You have the right to file a complaint with the Data Protection Board of India if you believe your rights have been violated.
To exercise any of these rights, email us at contact@duiid.com with the subject line "Data Rights Request." We will respond within 30 days.

7. Cookies and Tracking

The Service uses minimal cookies and local storage for the following purposes:

  • Authentication: Firebase Auth tokens stored in local storage / IndexedDB to maintain your login session.
  • Theme Preference: Your light/dark mode preference is stored in localStorage.
  • Analytics (optional): If enabled, anonymous usage analytics via Google Analytics. You can opt out through your browser settings.

We do not use advertising cookies, tracking pixels, or third-party advertising networks. The Service does not sell data to advertising platforms.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has registered or provided personal data, we will take steps to delete that information and terminate the account.

If you believe a child has provided personal data to us, please contact us immediately at contact@duiid.com.

9. International Data Transfers

Your data is primarily stored in the asia-south1 (Mumbai, India) region of Google Cloud Platform. However, certain third-party service providers (such as OpenAI for AI generation) may process data in other countries (e.g., the United States).

By using the Service, you acknowledge that your non-Vault data (such as AI prompts and account information) may be transferred to and processed in countries outside India. We ensure that all transfers comply with the DPDP Act's cross-border transfer requirements.

Your encrypted Vault data may be stored in global CDN edge locations for performance, but remains encrypted at all times and is meaningless without your key.

10. Grievance Officer

As required by the DPDP Act, 2023, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Company has appointed a Grievance Officer to address complaints regarding data protection and content-related issues.

Grievance Officer

Manaspurti Technologies Private Limited

Email: contact@duiid.com

Location: Panaji, Goa, India

Response time: Within 24 hours of receipt

Resolution time: Within 15 business days

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email and/or in-app notification at least 30 days before the changes take effect.

Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. The "Last Updated" date at the top indicates when the policy was last revised.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Manaspurti Technologies Private Limited

Email: contact@duiid.com

Jurisdiction: Panaji, Goa, India