← Back to Tanvrit AI

Privacy Policy

Last updated: 1 May 2026 · Version 1.0

Published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA") of India.

1. Identity of the Data Fiduciary

Tanvrit AI is operated by Tanvrit Pvt. Ltd. ("Tanvrit", "we", "us"), the data fiduciary under the DPDPA. Registered office: 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.

2. Data Protection Officer

Vivek Singh (founder) acts as DPO under DPDPA Section 8(9) until a separate DPO is appointed. Email: dpo@tanvrit.com.

3. Local-First Architecture

Tanvrit AI is designed to be local-first. Your codebase is indexed on your own machine; the index, embeddings, and SQLDelight database stay on your disk. Tanvrit does not upload your source code to our servers. Where you connect a third-party AI provider (Claude, OpenAI, Gemini, DeepSeek, Groq, Mistral, Ollama), prompts and selected code chunks are sent directly from your machine to that provider under their own privacy policy — not via Tanvrit servers.

4. Personal Data We Collect

  • Account — name, email, mobile (where you sign in to the cloud portal). Purpose: identify you for the optional cloud features. Retention: life of account + 90 days post deletion request.
  • Authentication — password hashes, OTPs, magic-link tokens, refresh tokens, MCP bearer token (stored locally in your platform keychain). Retention: OTPs / magic-links 10 minutes; auth audit logs 365 days.
  • Telemetry (opt-in) — anonymised counters: active platform, command names, tool-use counts, error class. PII guard rejects any value that looks like a path, URL, or email. Default OFF. Retention: 90 days raw events.
  • Crash logs — stack trace, OS, app version, no source content. Retention: 90 days.
  • Communications — emails to support. Retention: 3 years after the case closes.
  • Billing (paid tiers) — Stripe / Razorpay tokenised reference IDs, invoices, GSTIN if you provide one. Retention: 7 years (Income Tax Act, GST Act).

We do not collect or transmit your indexed source code, embeddings, MCP queries, or AI prompts to Tanvrit servers.

5. Lawful Basis

Under DPDPA Section 4 we rely on consent (Section 6) for account creation, opt-in telemetry, and any optional cloud feature, and on certain legitimate uses (Section 7) for transactions you initiate (e.g. paid subscriptions), statutory compliance, and emergencies.

6. Sharing & Cross-Border Transfers

We do not sell personal data. Processors we use:

  • Google Cloud Run (asia-south1, Mumbai) — hosts the optional cloud portal and telemetry endpoint. Data stays in India.
  • MongoDB Atlas — primary database for cloud-portal accounts.
  • Cloudflare — CDN for the marketing site at ai.tanvrit.com and DDoS protection.
  • Stripe Inc. (United States) — international subscriptions where applicable.
  • Razorpay (India) — UPI / cards / netbanking for Indian customers.
  • Twilio Inc. (US, with Indian DLT partners) — transactional SMS / OTP.
  • Google Analytics 4 on the marketing site for aggregate web analytics.

Cross-border transfers are performed under safeguards permitted by DPDPA Section 16. We do not transfer data to countries notified by the Central Government as restricted. When you connect an external AI provider, their own privacy policy applies to the prompts and code chunks you send to them — we recommend reviewing it.

7. Your Rights as a Data Principal (DPDPA Section 11)

  • Access a summary of personal data we process.
  • Correction or erasure of inaccurate data.
  • Nominate another individual to exercise your rights.
  • Grievance redressal.
  • Withdraw consent (where consent is the basis of processing).

Email dpo@tanvrit.com from your registered address, or use the deletion form at /account/delete. We respond within 30 days.

8. Children's Data

Tanvrit AI is built for software developers. We do not knowingly collect personal data from users under 18. If a parent or guardian becomes aware that a child has signed up, please write to dpo@tanvrit.com and we will delete the account and refrain from any behavioural tracking.

9. Security

  • TLS 1.3 in transit.
  • AES-256-GCM at rest for personal-data fields on the cloud portal.
  • JWT auth with mutex-protected refresh-token rotation.
  • OTP rate limiting and passkey replay protection.
  • MCP HTTP requests on localhost:19281 require an Authorization: Bearer <token> header; stdio mode trusts the parent process.
  • Role-based access controls and audit trails on admin actions.

We do not currently hold ISO 27001 or SOC 2 attestations and do not claim a public uptime SLA. Availability is best-effort.

10. Breach Notification

We will notify the Data Protection Board of India and every affected data principal within 72 hours of detecting a personal-data breach, in line with DPDPA Section 8(6) and rules thereunder.

11. Retention

  • Billing / financial records: 7 years.
  • Inactive accounts after a deletion request: 90 days.
  • Authentication logs: 365 days.
  • Telemetry events: 90 days raw; aggregate counts longer.
  • Local index, embeddings, MCP token: stored on your machine; deleted when you uninstall the app.

12. Cookies & Local Storage

  • auth_token, refresh_token — cloud-portal session continuity; cleared on logout.
  • mcp_bearer_token — stored in your platform's credential store (Keychain / Credential Manager / libsecret); never transmitted to Tanvrit.
  • _ga, _ga_* — Google Analytics 4 on the marketing site only (not in the desktop app).
  • Cloudflare anti-bot cookies (__cf_bm) — security; set by Cloudflare.

13. Updates to this Policy

Material changes are communicated to registered users by email at least 30 days in advance.

14. Grievance Redressal & Contact

Tanvrit Pvt. Ltd., 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.
DPO: dpo@tanvrit.com
Product support: support@ai.tanvrit.com