Privacy Policy

MISYOU ("we", "our", or "us") values your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our mobile application and website.

1. Information We Collect

We may collect the following information:

• Personal details (name, phone number, email address)
• Information about missing persons (name, photo, last seen location, physical description)
• Device information (IP address, device type, browser type)
• Location data (only if you explicitly allow it)
• Payment information (processed securely through third-party payment gateways)

2. How We Use Information

We use the collected data to:

• Help locate missing persons
• Display reports publicly within the app to maximize visibility
• Improve app functionality and user experience
• Communicate with users regarding their reports or account
• Process subscription payments
• Comply with legal obligations

3. Publicly Shared Information

Any information submitted regarding missing persons (including photos, name, physical description, and last seen location) will be visible to other users of the app and may be shared publicly to aid in locating the missing person.

4. Photo & Biometric Data

Photos uploaded may contain facial features. By uploading photos, you confirm:

• You have the legal right or consent to share these images
• The photos are of the actual missing person
• You understand these images will be publicly visible
• You accept responsibility for any legal issues arising from the photos

5. Data Accuracy & Responsibility

Users are solely responsible for ensuring that the information they provide is accurate, truthful, and lawful. We do not independently verify all submissions. Submitting false information may result in account termination and legal action.

6. Data Security

We implement reasonable technical and organizational measures to protect your data against unauthorized access, alteration, or destruction. However, no digital platform can guarantee 100% security.

7. Data Retention Schedule

We retain the minimum data necessary for the stated purpose, in line with §8(7) of the DPDP Act, 2023. Specific retention windows for each category are:

You can request a copy of your data or its erasure at any time from Settings → Privacy.

8. Data Sharing with Authorities

We may share user data with law enforcement agencies if:

• Legally required by court order or government request
• Necessary to assist in locating a missing person
• Required to prevent fraud, abuse, or illegal activity
• Needed to protect the safety of any individual

8a. Evidence Logging for Safety & Cybercrime Cooperation

Because MISYOU is a safety-critical platform that is frequently targeted by scammers and extortionists, we maintain internal, admin-only evidence logs for every safety-relevant action. These logs help us cooperate with police investigations and make cybercrime reporting easier for affected families.

For each safety-relevant request we retain:

• IP address and a derived user-agent / device fingerprint.
• Server-side timestamps of logins (success & failure), case creations, sighting submissions, abuse reports, payments and moderator actions.
• Account identifiers (user ID, email, optional phone) and consent timestamps.
• The verbatim text of abuse / scam reports, including any suspect phone numbers and emails the reporter chose to share.
• Content hashes of uploaded photos — used to flag recycled or AI-generated submissions.
• QR-scan / share events linked to a case (for poster-distribution analytics).

What we do NOT retain: MISYOU does not currently host an in-app calling or chat feature, and we do not record phone calls or off-platform messages. If a scammer contacts you off-platform, please save those screenshots yourself and attach them to an abuse report — we will then preserve them as part of the case evidence chain.

How we use these logs:

• To investigate abuse reports and ban repeat offenders.
• To assist your local police station when a family files a complaint about extortion, stalking or impersonation linked to a MISYOU case.
• To assist cybercrime.gov.in investigations (helpline 1930) on lawful request.
• To respond to court orders, summons, or legitimate written law-enforcement requests.

What we will NOT do: we will not sell, rent or share these evidence logs with advertisers, data brokers or any commercial third party. They are encrypted at rest and accessible only to a small number of vetted MISYOU administrators.

Retention: evidence logs are retained for up to 24 monthsfrom the date of the event, or for as long as required by an active investigation, whichever is longer.

9. Third-Party Services & Cross-Border Data Transfer

MISYOU is designed as an India-first service and all primary data (cases, photos, FIR copies, guardianship documents, audit logs) is stored on infrastructure operated within India. However, a limited set of transactional data is processed by the following third parties:

These transfers are made strictly on the lawful basis of necessity for performance of a contract with you (DPDP Act, 2023 §7(d)) and are limited to the categories above. None of these providers are located in a country notified by the Central Government as restricted under DPDP §16.

You can avoid the US-based card processor by paying via UPI or Paytm wallet once that option is enabled, or by emailing grievance@misyou.in to arrange an India-only payment.

10. Your Rights as a Data Principal (DPDP Act, 2023)

Under §11–13 of the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:

• Right of access. Download a complete copy of the data we hold about you in JSON format from Settings → Privacy.
• Right to correction & erasure. Edit your profile from your dashboard, or request a full account erasure (30-day grace window) from the same page.
• Right to withdraw consent. Withdraw your consent at any time with one click from Settings → Privacy. Withdrawal is as easy as giving it (DPDP §6(4)). Note that withdrawing consent will prevent you from submitting new cases or sightings.
• Right to nominate. Nominate another individual (e.g., spouse or sibling) to exercise these rights on your behalf in the event of your death or incapacity.
• Right of grievance redressal. Contact our Grievance Officer (details below). We will acknowledge within 24 hours and substantively respond within 7 days.
• Right of appeal. If you are not satisfied with our resolution, you have the right to file a complaint with the Data Protection Board of India.

All of the above are exposed as in-app actions on Settings → Privacy — no email request is needed for the standard cases.

11. Consent Withdrawal

You may withdraw consent for data processing at any time from Settings → Privacy. Withdrawing consent does not delete your account or past records — for that, use the "Delete my account" action separately. Once consent is withdrawn, you will not be able to submit new cases or sightings until you re-accept the policy.

12. Children's Privacy

We do not knowingly collect personal data from children under 18 without parental or guardian consent. If you believe a child has provided us with personal information, please contact us immediately.

13. Service Scope

MISYOU is currently available only to users located in India. All data is collected, stored, and processed within India under Indian data protection laws. International availability may be considered in the future and will be announced separately.

14. Governing Law & Compliance

This Privacy Policy is governed by and complies with:

• Digital Personal Data Protection Act, 2023 (primary law)
• Information Technology Act, 2000
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — to the extent not superseded by DPDP, 2023
• The Bharatiya Nyaya Sanhita, 2023 & the Protection of Children from Sexual Offences (POCSO) Act, 2012 — for the safety-related obligations of a missing-persons platform

For all DPDP-related queries, please contact our Grievance Officer (details in Section 17 below). Any dispute arising out of this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Talwandi Sabo, Punjab, India.

15. Changes to Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes through the app or via email. Continued use of the app after changes constitutes acceptance of the updated policy.

16. Contact Us

16A. Data Security & Encryption at Rest

We take the protection of sensitive uploads seriously. Specifically:

• FIR copies and guardianship documents are stored in a dedicated, access-controlled database collection (sensitive_documents) and are encrypted at rest with AES-128 in CBC mode (Fernet). The encryption key is held only in the production server's protected environment, never in source code, and is rotated on incident response.
• These documents are never returned by any public API. Access by a moderator or admin is recorded with the user ID, timestamp, and access count on the document record itself — so unusual access patterns (e.g., one account opening hundreds of documents) can be spotted and investigated.
• AI image analysis (an optional feature) requires explicit per-photo consent from the data principal before any photo is sent to the third-party model provider (Gemini, routed via Emergent Integrations). You can post a case without ever using this feature.
• Passwords are hashed with bcrypt (cost factor 12) and are never returned by any endpoint, including the DPDP data-export endpoint.

16B. Breach Notification Commitment (DPDP §8(6))

In the event of a personal-data breach, MISYOU commits to:

1. Contain the breach and rotate any compromised secrets within 30 minutes of detection.
2. Notify the Data Protection Board of India within72 hours, and within 24 hours if sensitive uploads (FIR / guardianship documents), children's records, or more than 100 data principals are affected.
3. Notify every affected data principal by email within the same window, with a clear statement of the categories of personal data involved, the actions taken, and the actions they can take.
4. Publish a public incident notice on /security-incidents within 24 hours of the regulatory notification, including a non-personal summary of what happened, the number of principals affected (as a range), and our mitigation plan.
5. Conduct a written post-mortem within 14 days and publish a closing update.

Our internal runbook (the operational steps the team follows) is reviewed at least every six months via a tabletop exercise. It is held at /app/memory/BREACH_NOTIFICATION_RUNBOOK.md and is available to regulators on request.

17. Grievance Officer (DPDP Act, 2023 §8(10))

In accordance with §8(10) of the Digital Personal Data Protection Act, 2023, we have appointed a dedicated Grievance Officer to address any queries, complaints, or requests relating to your personal data.