Privacy Policy

What data we collect

To issue a verification certificate, we collect and process:

• Mobile number (required for account and OTP)
• Name and date of birth (from Aadhaar — UIDAI source)
• Masked Aadhaar number (last 4 digits only)
• Income band derived from ITR data (not the raw figure)
• CIBIL score range (bucketed — not the exact score)
• LinkedIn profile URL (if provided)
• Email address (optional)

Raw Aadhaar XML, ITR filings, and CIBIL reports are never stored. We extract only the minimum necessary derived data and immediately discard the source.

Who can see your data

• You — always, via your dashboard.
• Certificate viewers — only after you share your OTP consent. Each view is logged.
• Our verification team — only for L2/L3 manual review steps, under strict access controls.
• No third parties — we do not sell, share, or lease your data.

Data retention

Certificate data is retained for the lifetime of your account. You can request deletion at any time. Upon deletion, all PII is purged within 30 days; audit logs are retained for 90 days for fraud prevention purposes.

Your rights

• Right to access — request a copy of your stored data.
• Right to delete — request complete deletion of your account and data.
• Right to correct — update inaccurate information via your dashboard.
• Right to revoke — revoke your certificate at any time; revoked certificates cannot be verified.

To exercise any right, email privacy@milnesepehle.in.

Security

All PII is encrypted at rest (AES-256) and in transit (TLS 1.3). Certificate PDFs are stored in encrypted S3 buckets and served only via time-limited signed URLs. OTPs are hashed with bcrypt and never stored in plaintext. We use rate limiting on all sensitive endpoints to prevent enumeration attacks.

Cookies

We use one session cookie (msp_session) for authentication. It is HttpOnly, Secure, and SameSite=Lax. We do not use advertising or tracking cookies.

Contact

For privacy questions or data requests: privacy@milnesepehle.in