Privacy Policy

1. Who We Are

Anchora is a cryptographic audit-trail API. The Service is currently provided by:

• Operator: Vigneshwaran BS (sole founder)
• Location: Chennai, Tamil Nadu, India
• Contact: vigneshwaran.bs@anchora.co.in
• Status: Early-stage; formal company setup is in progress.

For users in India, the operator above acts as the Data Fiduciary and the designated Grievance Officer under the Digital Personal Data Protection Act, 2023 (DPDP Act). Once company registration completes, this Privacy Policy may transfer to the registered entity and we will notify registered users of any change.

2. Information We Collect

We collect only what is needed to provide the Service. There is no behavioural tracking, no advertising network, and no sale of data to any third party.

Account information

• Name, email address, and (optional) company name you provide on sign-up
• API keys and authentication credentials linked to your account (stored as one-way hashes; never recoverable in plaintext after creation)

Usage data

• API request metadata: endpoint called, timestamp, response status, latency
• IP address and basic user-agent string for security and rate limiting
• Aggregate counts of records anchored, verified, and verified on-chain per project

What we do not collect

• The contents of records you anchor in hash-only mode — only the SHA-256 fingerprint ever reaches our servers
• Payment information — the platform is currently free; no paid plans are active
• Behavioural advertising data or third-party marketing trackers
• Information from anyone we know to be under 18 years of age

3. How We Use Your Information

We use the information we collect to:

• Operate and maintain the Service
• Authenticate API requests and prevent abuse
• Send essential transactional emails (account verification, security alerts, service notices) via Resend
• Investigate suspected security incidents or violations of our Terms of Service
• Comply with applicable legal obligations in India and other jurisdictions where you use the Service

4. Where Your Data Is Processed

We use established third-party infrastructure providers. Each provider holds its own security certifications at the platform level; this does not mean Anchora itself is certified.

• MongoDB Atlas — primary database (records, projects, accounts)
• Redis Cloud — queues, session caches, anchor pipeline
• Render — API server hosting
• Vercel — website and dashboard hosting
• Railway — background worker hosting
• Resend — transactional email delivery
• Polygon — public blockchain for anchored hashes (only hashes are written; no personal data)

Some of these providers operate data centres outside India. By using the Service, you consent to this cross-border processing for the limited purpose of running the Service.

5. Blockchain Anchoring

Anchora’s core function is to anchor cryptographic fingerprints (SHA-256 hashes) to public or permissioned blockchains. Please understand:

• SHA-256 is a one-way function; original data cannot be reconstructed from the on-chain hash
• Blockchain entries are immutable by design and cannot be deleted once confirmed
• The on-chain record contains: a Merkle root, a transaction timestamp, a record count, and the anchoring wallet address — no personal data

If you use hash-only mode, the underlying record never reaches Anchora’s servers; only the hash does. This is the strongest privacy posture and is recommended for any record that contains personal information.

6. Data Retention

• Account data — kept while your account is active; deleted within 30 days of account closure
• API request logs — kept for 90 days for operational and security purposes, then purged
• Aggregated usage statistics — anonymised after 12 months
• Blockchain hashes — permanent and immutable by nature; cannot be deleted (and contain no personal information)
• Email logs — retained by Resend per their policy; we do not extend that retention

You may request early deletion of your account data at any time. Records anchored via hash-only mode have no recoverable contents to delete; the on-chain hash will persist but is not traceable to personal information.

7. Your Rights

Depending on where you live, you have rights over your personal data under the laws that apply to you.

For users in India — DPDP Act, 2023

• Right to access — request a copy of the personal data we hold about you
• Right to correction and erasure — ask us to correct inaccurate data or delete data we no longer need
• Right to grievance redressal — raise complaints to the Grievance Officer (contact below). If your concern is not resolved, you may approach the Data Protection Board of India once its grievance channel is operational.
• Right to nominate — designate another person to exercise your rights in the event of incapacity or death
• Right to withdraw consent — you may withdraw consent at any time; processing prior to withdrawal remains lawful

For users in the EU / UK — GDPR

• Right of access, rectification, erasure, restriction, objection, and data portability
• Right to lodge a complaint with your national data protection authority

To exercise any of these rights, email vigneshwaran.bs@anchora.co.in. We aim to respond within 30 days.

8. How We Protect Your Data

We follow secure-by-default development practices:

• All connections to the API and website use TLS 1.2 or higher
• Sensitive fields (wallet private keys, encrypted record bodies) are encrypted at rest using AES-256-GCM
• API keys are stored as one-way hashes and are never recoverable in plaintext after creation
• Outbound webhooks are signed with HMAC-SHA256 so receivers can verify authenticity
• Database backups are encrypted by our infrastructure providers

Honest disclosure. Anchora is in an early stage of development. We have not yet completed formal third-party security certifications such as SOC 2 Type II or ISO 27001. A SOC 2 Type II audit is on the roadmap. The infrastructure providers we use (MongoDB Atlas, Vercel, Render, Railway, Redis Cloud) hold their own certifications at the platform level.

9. Cookies and Tracking

We use the minimum number of cookies needed for the Service to work. We do not run third-party advertising cookies or behavioural-tracking cookies.

• Essential cookies — authentication, session, and CSRF protection. Required for the dashboard to function.
• Preference cookies — remember your theme (light / dark) and similar settings.

You can clear or block cookies through your browser settings. Disabling essential cookies will prevent you from logging in to the dashboard.

10. Children’s Data

Anchora is a developer and business product and is not directed at children. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy as the product evolves or as legal requirements change. Material changes will be communicated by updating the “Last updated” date at the top of this page and, for registered users, by email. Your continued use of the Service after a change constitutes acceptance of the updated policy.

12. Contact & Grievance Officer

For privacy questions, data requests, or any concern about how Anchora handles your information, please reach the operator and designated Grievance Officer:

• Vigneshwaran BS — operator and Grievance Officer
• Email: vigneshwaran.bs@anchora.co.in
• Based in: Chennai, Tamil Nadu, India

For Indian users whose concerns are not resolved by the Grievance Officer, you may escalate to the Data Protection Board of India once its grievance channel is operational.