Privacy Policy

1. Introduction

This Privacy Policy explains how gocrd collects, uses, stores, and protects your personal information when you use our website, application, and related services. gocrd is operated as a product of Tanishkha, a GST registered proprietorship in Tamil Nadu, India.

2. Information We Collect

Information you provide:

• Name, email address, and account details
• Phone number, if provided
• Family member profile information you choose to add
• Finance, health, reminders, projects, software, and life event information you enter
• Documents, notes, files, and reference numbers you choose to upload or save
• Billing details required for subscription, invoice, or tax compliance

Information collected automatically:

• IP address, device, and browser information for security and fraud prevention
• Login activity and session information
• Usage patterns and feature access to improve the Service
• Error logs, diagnostics, and performance information

3. How We Use Your Information

• To create and manage your account
• To provide, operate, secure, and improve the Service
• To store and display the information you choose to add
• To send account, security, reminder, and service notifications
• To process subscriptions, payments, invoices, refunds, and tax records
• To debug errors, monitor performance, and prevent misuse
• To comply with applicable legal, tax, accounting, and regulatory obligations

We do not sell or rent your personal information to third parties.

4. Sensitive Data and Security Measures

Some features may allow you to store sensitive personal information such as identity reference numbers (Aadhaar, PAN), insurance policy IDs, account numbers, health records, finance details, and similar private data. You are solely responsible for deciding what information you choose to store in gocrd.

We apply industry-standard security practices to protect your data, including HTTPS in transit, encryption-at-rest provided by our infrastructure providers, row-level access controls at the database, restricted administrative access, audit logging, and authentication controls.

gocrd is not designed or marketed as a password manager. We do not recommend storing login passwords, banking passwords, UPI PINs, card CVVs, crypto recovery phrases, or similar high-risk authentication secrets in gocrd. For those use cases, please use a dedicated password manager.

No digital system can be guaranteed to be completely secure. You should keep your own backup copies of critical documents and avoid storing information you are not comfortable managing digitally.

5. Secure Notes Vault and End-to-End Encryption

The Secure Notes module (available on the Signature plan) provides an additional, end-to-end encrypted vault for storing sensitive reference information such as identity numbers, policy IDs, locker references, and account numbers.

How the encryption works:

• Your PIN is used to derive an encryption key in your browser using PBKDF2 with 250,000 iterations (SHA-256).
• Vault content is encrypted with AES-256-GCM, an industry standard authenticated encryption algorithm, before it leaves your device.
• Your PIN itself never leaves your device. We do not store, see, or transmit your PIN.
• Decryption only happens in your browser when you enter the correct PIN.

Because of this design, gocrd cannot read your vault content, cannot recover your PIN if you forget it, and cannot restore your vault data once it is wiped. You are solely responsible for remembering your PIN.

What you must NOT store in Secure Notes:

To comply with RBI, NPCI, and PCI-DSS rules, you must not store the following in any part of gocrd, including the Secure Notes vault:

• Banking, UPI, or transaction PINs
• One-Time Passwords (OTPs) or authentication tokens
• Full credit or debit card numbers, CVVs, or expiry dates
• Net banking passwords or login credentials
• Crypto wallet seed phrases or recovery phrases

The Secure Notes vault is designed for reference information only - account numbers, policy details, locker info, identity numbers, family records, and similar non-credential data. We monitor inputs for risk keywords during entry and warn you before saving, but the responsibility for what you store remains with you.

Vault access controls:

• A PIN-protected lock screen with auto-relock after a configurable period of inactivity (1 minute, 5 minutes, 15 minutes, 1 hour, or manual).
• Lockout after repeated failed PIN attempts (escalating from 5 minutes to 24 hours).
• A vault access log showing your unlocks, lockouts, and item changes - viewable from your privacy settings.
• A reset option that wipes the vault if you have forgotten your PIN. Reset requires typing a confirmation phrase and is irreversible.

6. Data Storage and Access Controls

We use reasonable technical and organisational safeguards to protect user data, including authentication controls, role-based access, database-level row isolation, HTTPS/TLS in transit, logging, backups, and restricted administrative access.

Access to your account data is technically isolated from other users by row-level security at the database. Administrative access, where required for support, maintenance, legal compliance, or security investigations, is limited and logged. Vault content encrypted under your PIN remains unreadable to gocrd staff even during administrative access.

7. Third-Party Services

We use trusted third-party service providers to operate the Service. These providers may process limited data only as needed to provide their services.

• Supabase - Database, authentication, and file storage
• Vercel - Website hosting and deployment
• Razorpay - Payment processing
• Resend - Transactional email delivery
• Sentry - Error monitoring and diagnostic logging
• AI or document processing providers - Only when you explicitly use related features

We do not store your payment card details on our servers. Payment card information is handled directly by Razorpay. Secure Notes vault content is encrypted on your device and is not readable by any third-party service that may host it.

8. Payments, Billing, and GST Information

If you purchase a paid subscription, we collect or process billing details required to complete payment, generate invoices, maintain records, and comply with tax obligations. Payment information is processed by Razorpay. Invoices include applicable GST details, including the legal business information of Tanishkha.

9. Notifications

gocrd may send notifications related to your account, reminders, payments, security, subscriptions, and service updates. Push notifications may be used where enabled by you. In the future, WhatsApp notifications may be offered for eligible or premium users, subject to your consent and applicable provider rules.

10. Cookies and Session Data

gocrd uses cookies and similar technologies required for login, authentication, security, and session management. We may also use limited technical cookies or logs to improve reliability and detect abuse. We do not use advertising cookies or sell your personal information.

11. Your Rights

You may request to:

• Access information associated with your account
• Correct inaccurate information
• Export your data where technically available (note: encrypted vault content cannot currently be exported in plaintext)
• Delete your account and associated data
• Withdraw consent for optional notifications or optional processing

To make a request, contact us at hello@gocrd.com. We will respond within a reasonable time as required by applicable law and technical feasibility.

12. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your data within a reasonable period, subject to backups, legal obligations, tax records, fraud prevention, and dispute resolution requirements. Encrypted vault content is deleted along with your account; because it is encrypted with your PIN, even before deletion, gocrd cannot read its contents.

13. Children's Privacy

gocrd is not intended for children to use independently. If family or child-related information is added, it should be managed by a parent, guardian, or authorised adult. If you believe information has been added without proper authority, please contact us.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes may be notified through email or an in-app notice. Your continued use of the Service after changes means you accept the updated Privacy Policy.

15. Contact & Legal Information