Privacy

• Your Google account details on sign-in: email, display name, and profile picture URL.
• A phone number you enter during profile completion, plus a separate WhatsApp number if you tell us your primary phone doesn't have WhatsApp.
• Per pilgrim you add: full name, age, gender, and an Aadhaar number (12 digits). We also store your city and state if you choose to provide them.
• A server-side record of every credit movement, order, Govinda AI Agent fetch, and phone-home for support + audit.
• IP address and user-agent of your Govinda AI Agent requests.

Aadhaar numbers are treated as radioactive. They are:

• Encrypted with AES-256-GCM using a server-only key before being written to the database. Plaintext is only in memory for the microseconds it takes to encrypt.
• Never returned in any API response, never displayed to other users, and never included in logs, error messages, or exports.
• Visible to Govinda Seva admins as last 4 digits only, with the first 8 masked (e.g. ••••••••1234) for support, refund verification, and dispute resolution. The full number is decrypted only on the server, only at render time, and never sent to your browser.
• Hashed with SHA-256 plus a server-side pepper for per-user deduplication, so you can't accidentally add the same pilgrim twice. The hash is never exposed.
• Decrypted in the server handler that assembles the Govinda AI Agent payload, and only then to embed the value into the obfuscated JavaScript we deliver back to your own browser for filling the TTD form.

• Payment information of any kind. All darshan fees go directly from you to TTD via UPI. We never see your UPI handle, bank details, or card numbers.
• Aadhaar photos, scans, or biometrics.
• Browsing or clickstream outside of our own pages.

• Account and pilgrim profiles: until you delete your account. Soft-deleted accounts are hard-deleted after 30 days.
• Orders and their pilgrim snapshots: retained for 1 year, then Aadhaar ciphertext is purged (order metadata kept for statistics).
• Credit ledger entries: kept forever as an immutable audit trail.
• Audit events: kept 7 years.
• Govinda AI Agent tokens: kept 30 days for debugging, then deleted.

• You, through the app.
• Admins of Govinda Seva, for grants, refunds, and support. Admins see your email, phone, WhatsApp number, credit balance, orders, and audit events. They never see your Aadhaar.
• No third-party advertisers, analytics services, or tracking pixels. We don't sell or share your data.

You can at any time:

• Edit or delete a pilgrim profile.
• Delete your entire account (deletes all of your pilgrims and orders on 30-day soft delay).
• Request a refund on any unused credits via the refund flow inside the app.

If you want help exercising any of these, email privacy@govindaseva.org.

Please report vulnerabilities to security@govindaseva.org. We will respond within 7 days.