Privacy Policy

Effective April 25, 2026 (v1.2)

1. What this document covers

This policy explains what data HerSquad collects about you, why we collect it, who we share it with, how long we keep it, and the choices you have. It is written to comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Rules, 2021. If you do not agree with this policy, do not sign up.

2. What we collect

You give us directly at signup:

  • Name, email address, and phone number (phone optional for now)
  • Date of birth (to confirm you are 18+)
  • City and neighbourhood (so we can match you with women nearby)
  • Profile bio, interests, and photos
  • Messages you send on HerSquad
  • Referral code if a friend invited you (5 character code, not tied to any name)
  • Regular hangout spots you choose to list on your profile (optional, up to 5)

Verification data (Core tier, required to join):

  • A verification selfie (one still image, private, never shown on your profile)
  • A 60 second liveness video (shows you turning your head left and right so we confirm you are a real person and not a static photo). Recorded in one take, submitted once, never displayed publicly.
  • Government-issued identity data, either pulled via DigiLocker or uploaded manually as document images that we delete within 24 hours of review (see section 4 for specifics)

Plus verification (optional, adds a gold badge):

  • Instagram username and a one-time OAuth token used only to confirm the account is real, human, and belongs to you. We do not post, DM, or read your followers.

Collected automatically when you use the app:

  • Device type, operating system, app or browser version
  • IP address (used only for security, fraud prevention, and abuse detection, not sold)
  • Actions you take inside the app (which profiles you view, match, report, or block)

We do NOT collect:

  • Your real-time or continuous location. We only use the city, neighbourhood, and hangout spots you tell us.
  • Your contacts. We do not import your phone book.
  • Any data from outside HerSquad unless you tell us to (for example, your Instagram handle for Plus verification).
  • Biometric templates. We do not build a face print from your selfie or video.

3. How we use your data

To run the service, verify you are a real woman, match you with other verified members, keep the community safe, respond to your support requests, detect fraud and duplicate accounts, and improve the product. We never sell your data to advertisers. We never share your data with third parties for marketing.

4. Verification: selfie, liveness video, and ID

Selfie

One still selfie captured at onboarding. Stored in a private, access-controlled Supabase storage bucket. Only the founder and explicitly authorised reviewers can view it, and only for the purpose of verifying you are a real adult woman.

60 second liveness video

One short video recorded on device at onboarding. You turn your head left, then right, and optionally say the verification phrase shown on screen. Its only purpose is to confirm you are a real person and not a static photo or an AI-generated image. It is stored in the same private bucket as the selfie, never shown on your profile, never shared outside the verification review team, and never used to train any model.

DigiLocker (government ID)

We integrate with DigiLocker, the Government of India's official digital document platform, to pull your government-issued identity proof. When you press Verify, you are redirected to DigiLocker's authorised flow, you sign in with your own credentials, and you explicitly consent to share one document with HerSquad. The document options we accept are Aadhaar (masked), PAN card, passport, voter ID, or driving licence.

From the document we store only:

  • Your legal name as printed on the document (to match your profile name)
  • Your date of birth (to confirm 18+)
  • Your gender as stated on the document (to confirm the women-only policy)
  • A verification reference ID from DigiLocker

We do not store your Aadhaar number, PAN number, or the full document image. We do not share DigiLocker-sourced data with any third party other than the service providers that run our infrastructure.

Manual ID upload (alternative to DigiLocker)

If you do not use DigiLocker, you can upload an Indian government-issued ID directly. We accept Aadhaar (with the number masked per UIDAI guidelines), PAN, passport, voter ID, or driving licence. You upload three images: the front of the document, the back, and a selfie of you holding the document. The selfie-with-ID step is required to confirm the document is in your physical possession and not lifted from elsewhere.

A trained reviewer on our team checks the upload within 24 hours. From the document we extract and store only:

  • Your legal name as printed on the document (to match your profile name)
  • Your date of birth (to confirm 18+)
  • Your gender as stated on the document (to confirm the women-only policy)
  • The document type and the last 4 digits of the document number (for fraud prevention and to detect duplicate accounts)

The uploaded images are deleted from our storage within 24 hours of the review decision. We do not retain the full Aadhaar number, PAN number, or any document scan after that window. The selfie-with-ID image is treated with the same privacy as your verification selfie: never shown publicly, never used for AI training.

Plus tier: Instagram

Plus verification is optional. If you opt in, we run a one-time OAuth flow with Instagram to confirm the handle you provided is a real account. We never post, never DM, and never read your followers or follows.

5. Data retention windows

We keep data only as long as we need to, after which it is deleted or anonymised.

Profile (active account): Kept for as long as your account exists.
Profile after deletion request: Removed within 30 days. Some logs may be kept up to 90 days for fraud and safety investigation.
Selfie (verification): 180 days after approval or rejection, then deleted.
60 second liveness video: 90 days after approval or rejection, then deleted. Kept shorter than the selfie because the still image alone is enough for duplicate-account review.
DigiLocker verification data: Retained as long as the account is active. On deletion, removed within 30 days, except the name, DOB, gender, and DigiLocker reference ID which we retain for 12 months for audit and fraud-prevention purposes, as permitted under the DPDP Act for legitimate uses including detecting and preventing fraud.
Manual ID upload images: Deleted within 24 hours of the manual review decision. The extracted name, DOB, gender, document type, and last 4 digits of the document number follow the same retention as the DigiLocker reference data above (12 months post-deletion for fraud prevention).
Selfie-with-ID image (manual upload only): Deleted with the rest of the upload images within 24 hours of review. Never shown publicly, never used for AI training.
Messages between members: Kept as long as both accounts exist. Either party can delete their copy at any time.
Reports and moderation records: Kept for 24 months. Required for fair, consistent enforcement and for law-enforcement cooperation if needed.
IP address and security logs: 180 days, after which anonymised.
Instagram OAuth token (Plus tier): Discarded immediately after the verification check. Only the handle is kept.

6. Who we share data with

  • Service providers that run our infrastructure (Supabase for database and storage, Vercel for hosting, Google for sign in, DigiLocker for government-issued ID verification). They only process data on our behalf, under contract, and cannot use it for their own purposes. Manual ID uploads are reviewed only by HerSquad's in-house verification team and are never sent to a third-party processor.
  • Law enforcement, only when we receive a valid legal process (court order, notice under IT Act Section 69, or equivalent). We log every such request and forward to legal counsel before responding.
  • Nobody else. No advertisers, no data brokers, no analytics partners who take your identity with them.

7. Your rights under the DPDP Act

As a Data Principal under the DPDP Act, 2023, you have the following rights over your personal data. We will act on any valid request within 30 days.

  • Access: request a copy of the personal data we hold about you.
  • Correction: ask us to fix any data that is inaccurate or incomplete.
  • Erasure: delete your account and associated data, subject to the retention windows in section 5 above.
  • Grievance redressal: raise a complaint with our grievance officer (section 13) and receive a resolution within the timelines below.
  • Nominate: name a person to exercise your rights if you are deceased or become incapacitated.
  • Withdraw consent: revoke any consent you have given. Withdrawal does not affect lawful processing done before. Withdrawing consent to verification means your account must be deleted, since verification is core to the women-only promise.

To exercise any of these rights, email vineetgaur19@gmail.com from the email address on your account.

8. Our legal basis for processing

Under the DPDP Act, we process your data on the following grounds:

  • Consent for profile data, messages, interests, hangout spots, and Plus-tier Instagram verification. You give this when you sign up and can withdraw any time.
  • Legitimate uses as defined in section 7 of the DPDP Act, for fraud prevention, platform safety, and legal compliance. This covers IP logs, device metadata, moderation records, and the minimal DigiLocker reference data we keep for fraud and duplicate-account checks.
  • Performance of a contract for delivering the matching, messaging, and verification features you signed up for.
  • Compliance with law when we respond to valid legal process.

9. Children

HerSquad is strictly for adults 18 and above. We do not knowingly collect data from anyone under 18. Our DigiLocker age check is how we enforce this. If you suspect a minor is using HerSquad, please report it to vineetgaur19@gmail.com and we will act within 24 hours.

10. International users

HerSquad is built for India. If you access it from outside India, your data will still be processed on servers located in India (Supabase ap-south-1, Mumbai) and according to Indian law, including the DPDP Act, 2023.

11. Security

We use HTTPS across the site, hashed passwords, Row Level Security on every database table, private buckets for selfies and verification videos, and least-privilege access for reviewers. No system is perfect. If we detect a breach that affects you, we will notify you and the Data Protection Board of India within 72 hours, as required under the DPDP Act.

12. Changes to this policy

Material changes get 7 days notice in the app and by email before taking effect. Version history is tracked at the top of this page (currently v1.1, effective April 23, 2026).

13. Contact and grievance officer

Vineet Gaur

Founder and Grievance Officer, HerSquad

vineetgaur19@gmail.com

Acknowledgement within 48 hours of receiving a grievance.

Resolution within 15 days, as required under Indian IT Rules, 2021, and the DPDP Act, 2023.

If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India once that body is operational under the DPDP Act.

Terms of ServiceCommunity Guidelines