Data Policy
Last updated: 11 July 2026 · Contact: team@edvet.in
This policy describes how Edvet stores, protects, retains, and deletes data. It complements the Privacy Policy (what we collect and why) and reflects our obligations under the DPDP Act, 2023.
1. Where data lives
- Application data is stored in a managed PostgreSQL database and object storage hosted on professional cloud infrastructure (currently Render, Singapore region, with encrypted backups).
- Uploaded documents (certificates, teaching videos) are stored in private buckets, accessible only through short-lived signed links.
- Conversations are stored to operate the service and for quality review of our AI-assisted operations.
2. Identity data — special handling
- We never store a full Aadhaar number. We keep the verification result from our KYC provider, the last four digits, and a salted one-way hash used solely to prevent banned users from re-registering.
- PAN, when provided, is stored as a salted hash plus the verification result.
- Face-match comparisons produce a numeric embedding, stored in a restricted table; the underlying rules never allow it to be used for anything except duplicate/fraud prevention.
- KYC provider raw responses are retained briefly for audit (60 days), then reduced to key fields.
3. Security measures
- Encryption in transit (TLS) everywhere; sensitive fields (addresses, dates of birth, KYC references) additionally encrypted at the application layer.
- Access on a strict need-to-know basis: internal team members see only what their role requires; every access to identity tables is logged.
- Webhooks and integrations are signature-verified; automated systems act through audited, permission-scoped internal APIs.
- An immutable audit log records who (human or automated agent) changed what, and when.
4. Retention schedule
- Enquiries that never become active: deleted or anonymised after 12 months.
- Conversations: 24 months, then summarised and redacted.
- KYC raw responses: 60 days (then key fields only).
- Tax records and invoices: 8 years (legal requirement).
- Fraud-prevention identity hashes of banned accounts: retained as a legitimate interest to protect users.
5. Deletion & export requests
Write to team@edvet.in or use your dashboard. Export is delivered in a machine-readable format. Erasure removes or anonymises personal fields within 30 days, except records the law obliges us to keep (listed above), which are isolated and access-restricted until their retention expires.
6. Breach response
We maintain an internal breach playbook: contain, assess, notify the Data Protection Board of India and affected users as required by the DPDP Act, and publish remediation steps. Suspected issues can be reported to team@edvet.in.
7. Processors
Current categories: cloud hosting & database, object storage, KYC verification, WhatsApp Business Platform, SMS, email, payments (teacher commissions), maps/geocoding, error monitoring, and product analytics. An up-to-date list of named vendors is available on request.
All policies