Privacy Policy
Last updated: 5 March 2026 | Effective: 5 March 2026
This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
1. Data Fiduciary
CivicRate (accessible at civicrate.in) is operated by the CivicRate Team. For the purposes of the DPDP Act 2023, we are the Data Fiduciary responsible for processing your personal data.
- Contact: support@civicrate.in
- Grievance Officer: support@civicrate.in
- Address: New Delhi, India
2. Information We Collect
We collect the minimum data necessary for platform operation:
| Data Type | Purpose | Retained For |
|---|---|---|
| Name & Age | SHA-256 hashed for voter fingerprint (prevents duplicate votes). Not stored in plain text. | Hash only — indefinite |
| Phone Number (OTP) | One-time verification via Firebase Auth. Hashed after verification. | Hash only — indefinite |
| Ratings (1-5 stars) | Displayed publicly as anonymous aggregate scores | Indefinite (public civic data) |
| Comments | Displayed publicly without identifying info | Until moderated/removed |
| IP Address | Rate limiting, anti-bot security | 30 days, then purged |
| Analytics (GA4) | Anonymous site usage understanding | Google's retention policy |
3. Lawful Basis for Processing (DPDP Act 2023)
- Consent: By submitting a rating, you consent to the processing of your name, age, and phone number for voter verification purposes.
- Legitimate Interest: We process IP addresses and device data for security and anti-abuse purposes (preventing bot manipulation of democratic ratings).
- Public Interest: Aggregate civic rating data serves the public interest of democratic accountability.
4. How We Protect Your Data
- SHA-256 hashing with server-side salt for all identity data (irreversible)
- HTTPS (TLS 1.2+) encryption on all connections
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- IP-based rate limiting on all forms
- CSRF token validation on all POST requests
- Firebase Authentication for phone OTP (Google infrastructure)
- WAL-mode SQLite with restricted access
5. What We Do NOT Do
- We never sell, rent, or share personal data with third parties
- We never display voter names alongside ratings
- We never use personal data for advertising, marketing, or profiling
- We never store names or ages in plain text
- We never track browsing across other websites
- We never share data with any political party, candidate, or government body
6. Cookies
We use only essential cookies:
- Session cookie: CSRF token, login state (essential, no consent needed)
- Theme preference: Light/dark mode choice (localStorage, not a cookie)
- Google Analytics: Anonymous browsing data (you may opt out via browser settings)
We do not use advertising cookies, tracking pixels, or social media cookies.
7. Your Rights (DPDP Act 2023)
As a Data Principal under the DPDP Act, you have the following rights:
- Right to Access: Request information about what data we process related to you
- Right to Correction: Request correction of inaccurate personal data
- Right to Erasure: Request deletion of your personal data (subject to legitimate retention needs)
- Right to Grievance Redressal: File a complaint with our Grievance Officer
- Right to Nominate: Nominate another person to exercise your rights in case of death or incapacity
To exercise any right, email support@civicrate.in with subject "Data Rights Request." We will respond within 72 hours.
8. Third-Party Services
- Google Analytics (GA4): Anonymous usage analytics. Google Privacy Policy
- Firebase Authentication: Phone OTP verification. Firebase Privacy
- Render.com: Hosting provider. Render Privacy
We do not use any advertising networks, social media SDKs, or data brokers.
9. Data Transfer
Your data is processed on servers in Singapore (Render.com). Firebase Auth data is processed by Google. We do not transfer data to any other country or entity.
10. Children
CivicRate is intended for Indian citizens aged 18 and above (voting age). We do not knowingly collect data from anyone under 18. If we discover we have collected data from a minor, we will delete it immediately.
11. Changes to This Policy
We may update this policy periodically. Material changes will be notified via a banner on the homepage. Continued use after changes constitutes acceptance.
12. Grievance Officer
Grievance Officer: CivicRate Team
Email: support@civicrate.in
Response Time: Acknowledgment within 24 hours, resolution within 15 days
As required under Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
13. Contact
For all inquiries (privacy, data rights, grievances, legal): support@civicrate.in