Govinda Seva

Privacy

Last updated: 2026-04-17 · India

What we collect

  • Your Google account details on sign-in: email, display name, and profile picture URL.
  • A phone number you enter during profile completion, plus a separate WhatsApp number if you tell us your primary phone doesn't have WhatsApp.
  • Per pilgrim you add: full name, age, gender, and an Aadhaar number (12 digits). We also store your city and state if you choose to provide them.
  • A server-side record of every credit movement, order, Govinda AI Agent fetch, and phone-home for support + audit.
  • IP address and user-agent of your Govinda AI Agent requests.

Aadhaar handling

Aadhaar numbers are treated as radioactive. They are:

  • Encrypted with AES-256-GCM using a server-only key before being written to the database. Plaintext is only in memory for the microseconds it takes to encrypt.
  • Never returned in any API response or web page, not even the last four digits.
  • Never included in logs, error messages, or exports.
  • Hashed with SHA-256 plus a server-side pepper for per-user deduplication, so you can't accidentally add the same pilgrim twice. The hash is never exposed.
  • Decrypted in the server handler that assembles the Govinda AI Agent payload, and only then — to embed the value into the obfuscated JavaScript we deliver back to your own browser for filling the TTD form.

What we don't collect

  • Payment information of any kind. All darshan fees go directly from you to TTD via UPI. We never see your UPI handle, bank details, or card numbers.
  • Aadhaar photos, scans, or biometrics.
  • Browsing or clickstream outside of our own pages.

Retention

  • Account and pilgrim profiles: until you delete your account. Soft-deleted accounts are hard-deleted after 30 days.
  • Orders and their pilgrim snapshots: retained for 1 year, then Aadhaar ciphertext is purged (order metadata kept for statistics).
  • Credit ledger entries: kept forever as an immutable audit trail.
  • Audit events: kept 7 years.
  • Govinda AI Agent tokens: kept 30 days for debugging, then deleted.

Who can see your data

  • You, through the app.
  • Admins of Govinda Seva, for grants, refunds, and support. Admins see your email, phone, WhatsApp number, credit balance, orders, and audit events — they never see your Aadhaar.
  • No third-party advertisers, analytics services, or tracking pixels. We don't sell or share your data.

Your rights

You can at any time:

  • Edit or delete a pilgrim profile.
  • Delete your entire account (deletes all of your pilgrims and orders on 30-day soft delay).
  • Request a refund on any unused credits via the refund flow inside the app.

If you want help exercising any of these, email privacy@govindaseva.org.

Security contact

Please report vulnerabilities to security@govindaseva.org. We will respond within 7 days.