Privacy Policy – cybermitra.ai

Welcome to Cybermitra.ai (“Cybermitra.ai,” “we,” “us,” or “our”). We are committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our website, mobile application, Interactive Voice Response (IVR) system, and related services (collectively, the “Service”) designed to assist victims of digital financial fraud in India.
This Policy is drafted in compliance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”). By using our Service, you signify your understanding and agreement with the practices described in this Policy. If you do not agree, please do not use the Service.

2. Information We Collect (Personal Data)

We collect personal data that you provide directly to us, data generated during your use of the Service, and potentially data from third-party sources when necessary and legally permissible. The types of personal data we may collect include:
Personal Identification Information: Name, phone number, email address, residential address, and potentially government-issued identification details if required for verification or reporting purposes mandated by authorities.
Fraud Incident Details: Information you provide about the fraud incident, including dates, times, amounts involved, descriptions of the scam, details of suspected fraudsters (if known), and communications related to the fraud.
Fraud Evidence & Financial Details: We do not ask you to directly input your own sensitive financial details (like full bank account numbers, credit/debit card details). However, as part of providing fraud evidence, you may upload documents (such as screenshots, bank statements, transaction receipts) that contain sensitive financial information related to the fraud (e.g., your bank’s transaction IDs, UPI IDs, details of the fraudster’s accounts, or partially masked card details). This data is processed for the sole purpose of documenting and reporting the fraud incident as per your explicit instruction.
Communications Data: Recordings or transcripts of your calls with our IVR system, chat logs within our application, email correspondence with us, and feedback you provide.
Technical Information: IP address, device type, operating system, browser type, unique device identifiers, application usage data (features used, time spent), and website usage data collected through cookies or similar technologies (see Section 10).
Location Information: General location derived from your IP address or more specific location if required for the Service and provided with your consent via mobile device settings.
App-Specific Data Collection & Permissions:
When you use our mobile application, we may request certain permissions to enable specific features:
Camera access: To allow you to capture and upload photos or videos of fraud evidence (e.g., scam messages, transaction details, fraudulent documents).
Storage/Files access: To enable you to select and upload documents (e.g., PDFs, images, screenshots) that serve as evidence for your fraud report.
Contacts access: To allow you to easily select and add contact details (e.g., the phone number of a suspected fraudster or victim) directly from your device’s contact list when reporting a fraud incident. We do not access your contacts for any other purpose or store your entire contact list.

3. How We Use Your Information (Purpose of Processing)

We use your personal data only for specified, explicit, and legitimate purposes, including:
Providing and Managing the Service: To register you, understand the details of the fraud incident, utilize AI to analyze and structure the information, assist you in compiling necessary documentation, facilitate the reporting process to relevant entities (banks, payment gateways, law enforcement portals like NCRP) based on your explicit instruction, and provide guidance.
Communication: To communicate with you about your case, provide updates, respond to your inquiries, send service-related notifications, and request feedback.
Improving Our Service: To analyze usage patterns (often using aggregated or anonymized data), troubleshoot issues, and enhance the functionality and user experience.
AI Model Training (Fraud Detection): Our “Fraud Detect” feature allows you to identify potential scam messages. Data you provide through this feature, along with fraud incident details, is used to train and monitor our machine learning algorithms. This helps us improve the accuracy of our fraud detection capabilities and enhance the Service for all users, with appropriate safeguards like anonymization applied to protect privacy.
Security and Fraud Prevention: To protect the security and integrity of our Service, detect and prevent misuse or further fraudulent activity.
Legal and Compliance: To comply with applicable Indian laws, regulations, court orders, or legal processes, and to establish, exercise, or defend legal claims.
We do not collect or use your personal data for marketing or advertising purposes.

4. Legal Basis for Processing (Under DPDP Act)

We process your personal data based on the following legal grounds as defined under the DPDP Act:
Consent: For most of our processing activities, especially collecting and using your personal identification information, fraud details, and evidence (including financial details contained within it) to provide the core assistance Service, we rely on your free, specific, informed, and unambiguous consent, obtained when you choose to use our Service and provide this data. You have the right to withdraw your consent at any time (see Section 8).
Legitimate Interests: We may process limited technical or usage data for legitimate interests such as improving our Service, ensuring security, or performing analytics, provided these interests are not overridden by your fundamental rights and freedoms. We implement safeguards when relying on legitimate interests.
Compliance with Law: We may process data if required to comply with a legal obligation under Indian law.

5. How We Share Your Information

We do not sell your personal data. We share your information only in the following limited circumstances:
With Your Explicit Consent/Direction: We will share your fraud report details (containing personal and financial information) with third parties like banks, financial institutions, payment gateways, or law enforcement portals (e.g., NCRP) only when you explicitly authorize or direct us to do so as part of the fraud reporting process facilitated by our Service. For example, when you complete and confirm the submission of a fraud report within the “Report Fraud” section of our app or website, you are providing this explicit instruction.
Third-Party Service Providers: We engage trusted third-party companies and individuals to perform services on our behalf (e.g., cloud hosting providers [potentially within India], communication platforms, data analytics providers like Google Analytics and Firebase Analytics). These providers have access to your personal data only to perform these tasks on our behalf and are obligated by contract not to disclose or use it for any other purpose.
Legal Requirements: We may disclose your information if required by law, subpoena, court order, or other governmental request, provided such request is valid under Indian law. We will attempt to notify you about legal demands for your personal data when appropriate, unless prohibited by law or court order, or when the request is an emergency.

Business Transfers: If Cybermitra.ai is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.
Aggregated or Anonymized Data: We may share aggregated or anonymized data (which cannot reasonably identify you) for research, statistical analysis, or industry reporting purposes.

6. Data Security

We implement reasonable security practices and procedures as required under the IT Act, 2000 and DPDP Act, 2023, including technical, administrative, and physical safeguards designed to protect your personal data from unauthorized access, use, disclosure, alteration, or destruction. This includes measures like encryption (for data in transit and at rest where appropriate), access controls, and regular security assessments. However, no internet transmission or electronic storage method is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including providing the Service, resolving disputes, establishing legal defenses, conducting audits, pursuing legitimate business purposes, enforcing our agreements, and complying with applicable laws (including data retention periods mandated by law).
For sensitive financial information contained within uploaded fraud evidence, we process and retain this data only as long as required for the specific purpose of assisting with your fraud report and fulfilling legal or regulatory obligations. We do not permanently store raw sensitive financial numbers after the reporting process is complete, beyond what is necessary for audit logs, legal compliance, or as contained within necessary report submissions. Once the purpose is fulfilled and legal retention periods expire, we will securely delete or anonymize your personal data.

8. Your Rights as a Data Principal (Under DPDP Act)

Under the DPDP Act, you have certain rights regarding your personal data:
Right to Access: You have the right to obtain confirmation about the processing of your personal data and access to that data and related information.
Right to Correction and Erasure: You have the right to request correction of inaccurate or incomplete personal data and erasure of personal data that is no longer necessary for the purpose it was collected, subject to legal limitations.
Right to Grievance Redressal: You have the right to lodge complaints regarding the processing of your personal data with our Grievance Officer (details below).
Right to Nominate: You may have the right to nominate another individual to exercise rights on your behalf in case of death or incapacity.
Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw it at any time. Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw consent, we may not be able to provide certain aspects of the Service.
To exercise these rights, you can use the “Contact Us” link available within the app, which will redirect you to our contact website, or you can directly contact our Grievance Officer using the details provided in Section 14. We will respond to your request in accordance with applicable law.

9. Use of AI and Automated Processing

Our Service utilizes AI to analyze fraud details, structure information, and provide assistance. This may involve automated processing of your data, including the “Fraud Detect” feature described in Section 3, which uses AI to identify potential scam messages based on user input and training data. While the AI assists in identifying patterns and preparing information, critical actions like submitting reports to third parties typically require your review and explicit confirmation. We strive for transparency in our use of AI.

10. Cookies and Tracking Technologies

Our website and application may use cookies and similar tracking technologies (like pixels and web beacons) to collect technical information, enhance user experience (e.g., remembering settings), and analyze usage patterns. Specifically, our mobile application uses Google Analytics and Firebase Analytics to understand app usage, improve performance, and detect issues. You can usually manage your cookie preferences through your browser settings. Please refer to our [Link to Cookie Policy, if separate] for more details (if you have one).

11. International Data Transfers

Currently, we primarily store and process your personal data within India. If we transfer your personal data outside India in the future (e.g., using a service provider located abroad), we will ensure appropriate safeguards are in place as required by the DPDP Act and other applicable laws to protect your data.

12. Children’s Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the new policy on our website/app or by sending you a notification. We encourage you to review this Policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

14. Contact Us & Grievance Officer

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact our Grievance Officer:
Grievance Officer Name: Bhanu Pratap Singh
Email: [email protected]
Address: CyberMitra.ai, D114, Sector 63a, Noida, Prayagraj, Uttar Pradesh, India

We will endeavor to address your concerns promptly and effectively in accordance with applicable law.