Privacy Policy

1. Information We Collect

We collect information in two ways: information you provide directly, and information we collect automatically when you use sail.dhfm.in.

Information you provide

• Account data: Username, email address, profile photo, and biography when you register.
• Content data: AI prompts you submit, collection names and descriptions, comments, and FAQ entries.
• Saved items & boards: Prompts you save and the names of any boards you create to organise them. Your boards are private and visible only to you.
• Onboarding preferences: Your role (e.g. marketer, developer), preferred AI tools, topics of interest, and usage frequency — collected during the one-time onboarding wizard to personalise your feed. You can update or delete these preferences at any time from Dashboard → Preferences.
• Social profile links: Instagram, LinkedIn, and X (Twitter) URLs you optionally add to your public profile.
• Payment details (Pro subscribers): UPI ID or bank account number and IFSC code for payout purposes. See Section 12 for full details.
• Communications: Messages you send us via the contact form.

Information collected automatically

• IP address (hashed): When you view a prompt, copy a prompt, like content, share content, or click an ad, we store a one-way cryptographic hash (SHA-256) of your IP address. The hash cannot be reversed to obtain your original IP address.
• Session identifier (hashed): A hashed, temporary session token used to count concurrent viewers on a prompt page. It expires automatically and is never linked to your account.
• View and interaction counts: We record each time a prompt is viewed, copied, liked, or shared — including the timestamp — for the purpose of ranking and displaying stats.
• Search queries: When you search the platform, we log the text you entered, the number of results returned, and — if you click a result — which prompt you clicked. This data is used to improve search rankings.
• Behavioural signals: When you interact with search results, we record which results were shown to you (impressions), which you clicked, and how long you spent on the page before returning (dwell time). These signals are used only to improve the order of search results.
• Ad interaction data: If you click a promotional card or advertisement on the platform, we record the destination URL and a hashed IP address to measure unique click counts.
• Theme preference: Your chosen dark/light mode is stored in your browser's local storage. This data never leaves your device.

2. Analytics & Behavioural Data — Full Detail

We operate our own analytics system rather than using third-party services like Google Analytics. All data is stored on our own servers and is never sent to external analytics providers.

The following data is collected only with your consent (given via the cookie banner when you first visit). You can withdraw consent at any time from your Dashboard → Preferences.

• Search impressions: Which search results were shown to you, their position, and the search query.
• Click-through data: Which result you clicked, from which position, in response to which query.
• Dwell time: How many seconds you spent on a prompt page after arriving from a search result. Used to determine whether a result was relevant.
• View events: Each page view on a prompt, with timestamp and hashed IP.
• Copy and share events: Each time you copy a prompt or share it, with timestamp and hashed IP.

The following data is collected regardless of analytics consent because it is essential to platform operation:

• Authentication cookies (login sessions).
• Account data you voluntarily provided on registration.
• Content you submitted (prompts, collections).

You have the right to delete all analytics data we hold about you at any time. Go to Dashboard → Security → Danger Zone → Delete my analytics data. This permanently removes your views, copies, searches, and behavioural records. Your account and content are unaffected.

3. How We Use Your Information

• Create and manage your user account.
• Publish and display your submitted prompts and collections.
• Operate the leaderboard and discovery features (view counts, copy counts).
• Improve search result rankings using aggregated, anonymised behavioural signals.
• Personalise your content feed based on onboarding preferences you provided.
• Process subscription payments and manage Pro membership via Razorpay.
• Process reward payouts to your UPI ID or bank account.
• Detect and prevent fraud, spam, and abuse.
• Send account-related notifications (you can opt out in Dashboard → Preferences).
• Comply with legal obligations under the Indian Digital Personal Data Protection Act 2023 (DPDP Act), applicable RBI payment regulations, and other applicable laws.

We do not sell your personal information. We do not use your data for targeted advertising or profiling for commercial purposes.

4. Legal Basis for Processing

Under the DPDP Act 2023 and GDPR (for users in the EU/UK), we process your personal data on the following legal bases:

5. Information Sharing & Data Processors

We do not sell, trade, or rent your personal information to third parties. We act as the Data Fiduciary under the DPDP Act 2023. The following Data Processors handle personal data strictly on our instructions:

We may also share data in these limited circumstances:

• Legal requirements: When required by Indian law, a court order, or a legitimate governmental authority under the DPDP Act or other applicable legislation.
• Business transfers: If sail.dhfm.in is acquired or merged, data may transfer as part of that transaction. You will be notified in advance.

6. International Data Transfers

This platform is operated from India. Some of our Data Processors (listed in Section 5) may store or process data outside India, including in the United States and other countries. Where data is transferred internationally, we ensure appropriate safeguards are in place:

• Google OAuth: Governed by Google's standard contractual clauses and adequacy decisions under GDPR where applicable. Data transferred to Google relates only to users who actively choose "Sign in with Google."
• Email delivery: Limited to email address and message content necessary to deliver transactional emails. Providers are contractually bound to process data only for this purpose.
• ImageKit CDN: Image files are served via a global CDN for performance. No personal profile data (name, email) is transferred — only the image binary itself.

For EU/UK users: transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) or adequacy decisions. For Indian users: transfers are made in compliance with the DPDP Act 2023 and any cross-border transfer rules notified by the Indian Government.

7. Cookies & Tracking

See our full Cookie Policy for a complete list. In summary:

• Essential cookies: WordPress login session, CSRF security token, and authentication. These are always set and cannot be disabled without losing access to your account.
• Preference storage: Dark/light mode is stored in browser local storage — it never leaves your device.
• Analytics tracking: Only set after you accept the cookie banner. Includes the consent record itself (dm_consent), which is necessary to remember your choice.

8. Your Rights

Under the Indian Digital Personal Data Protection Act 2023 (DPDP Act), and where applicable GDPR and UK PECR, you have the following rights:

• Right to access (DPDP Act §11 / GDPR Art. 15): Request a summary of what personal data we hold about you, the purposes for which it is processed, and the identities of any Data Processors we share it with.
• Right to correction (DPDP Act §12 / GDPR Art. 16): Update inaccurate or incomplete profile information via Dashboard → Settings.
• Right to erasure of analytics data: Delete all behavioural and analytics records instantly via Dashboard → Security → Delete my analytics data.
• Right to erasure of account (DPDP Act §12 / GDPR Art. 17): Request full account deletion and removal of all associated personal data. Contact us via the Contact page. We will complete this within 30 days.
• Right to data portability (GDPR Art. 20): EU/UK users may request a machine-readable export of personal data you provided to us (account information and submitted prompts). See Section 9 below.
• Right to withdraw consent (DPDP Act §6 / GDPR Art. 7): Change your analytics consent at any time via Dashboard → Preferences or by clearing your dm_consent cookie. Withdrawal does not affect processing carried out before withdrawal.
• Right to opt out of emails: Use the unsubscribe link in any email or toggle notifications off in Dashboard → Preferences.
• Right to nominate a representative (DPDP Act §14): You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Contact us to register a nominee.
• Right to grievance redressal (DPDP Act §13): See Section 14 for our Grievance Officer details.
• Right to object / restrict processing (GDPR Art. 21–22): EU/UK users may object to processing based on legitimate interests or request restriction of processing while a dispute is resolved. Contact us via the Contact page.

For any request, use our Contact page. We respond within 72 hours to acknowledge your request and complete it within 30 days (extendable by a further 30 days for complex requests, with notice to you).

If you are unhappy with our response, you have the right to complain to the Data Protection Board of India (under DPDP Act §25) or, for EU/UK users, to your local data protection supervisory authority.

9. Data Portability

You can request a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format (JSON). This includes:

• Your account information (username, email, display name, bio, social links)
• Your submitted prompts and collections
• Your onboarding preferences

Analytics data (views, copies, searches) is not included in portability exports as this data is linked to hashed identifiers and cannot be meaningfully attributed to a named individual once extracted.

To request your data export, use our Contact page with the subject "Data Portability Request." We will provide the export within 30 days.

10. Data Retention

• Account data: Retained until you request account deletion.
• View and copy logs: Raw event rows are retained for up to 12 months and then automatically purged. Aggregate counts (total views, total copies) on content are retained indefinitely as public statistics.
• Search logs: Raw search queries and click data are retained for up to 90 days. Aggregated search-quality signals (used for ranking) do not contain personal identifiers and are retained indefinitely.
• Active viewer sessions: Expire automatically after 5 minutes of inactivity and are purged from the database weekly.
• Hashed IP addresses: Retained for the period of the event log they belong to (see above).
• Payment and financial records: Transaction records (payment IDs, amounts, dates) are retained for a minimum of 8 years to comply with Indian accounting and tax regulations (Income Tax Act 1961, GST Act). UPI IDs and bank account numbers stored as user metadata are deleted upon account deletion, subject to any pending payout obligations.
• Onboarding preferences: Retained until you update or delete them via Dashboard → Preferences, or until account deletion.
• Google OAuth tokens: We do not store long-lived Google refresh tokens. Only the profile data (name, email, photo) received at login is stored, as your account data.

11. Data Security

We implement the following technical and organisational measures to protect your personal data:

• Encryption in transit: All data is transmitted over HTTPS/TLS. HTTP connections are redirected to HTTPS.
• Password security: Passwords are hashed using bcrypt with appropriate cost factors. Plain-text passwords are never stored.
• IP address protection: IP addresses are stored only as one-way SHA-256 hashes. The original IP cannot be recovered.
• Session security: Sessions are invalidated on password change and logout. CSRF tokens protect all authenticated actions.
• Google OAuth secret encryption: The Google OAuth client secret is stored AES-256-CBC encrypted at rest.
• Payment data handling: We do not store full card numbers or CVV codes. Payment card data is handled entirely by Razorpay, a PCI-DSS compliant payment processor regulated by the Reserve Bank of India. We store only the Razorpay subscription/payment IDs needed to manage your subscription status.
• Access controls: Administrative access to personal data is restricted to authorised personnel on a need-to-know basis.
• Regular security reviews: We regularly review our security practices and update them as threats evolve.

No internet transmission is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights, we will notify you and the Data Protection Board of India as required under the DPDP Act 2023.

12. Payment & Financial Data

Subscription payments: When you subscribe to sail.dhfm.in Pro, your payment is processed by Razorpay Software Private Limited (a company incorporated in India and regulated by the Reserve Bank of India). We receive confirmation of payment status and a Razorpay transaction ID. We do not receive or store your card number, CVV, or net banking credentials.

Payout details (reward programme participants): If you opt in to receive rewards payouts, you may provide a UPI ID or bank account number and IFSC code. This information is:

• Stored as user metadata associated with your account.
• Shared with Razorpay solely for the purpose of executing a payout transfer.
• Accessible only to you (via your dashboard) and authorised platform administrators.
• Deleted upon account deletion, subject to any pending payout obligations.

You are not required to provide payment details to use the platform. Payout details are optional and used only if you are eligible for and wish to receive a reward.

Razorpay's privacy policy is available at razorpay.com/privacy.

13. Children's Privacy

sail.dhfm.in requires users to be at least 13 years old. We do not knowingly collect personal data from children under 13. Under the DPDP Act 2023, if a user is under 18, we additionally require verifiable parental or guardian consent before processing their personal data. If you believe we have collected data from a minor without appropriate consent, please contact us immediately and we will delete it promptly.

14. Grievance Officer (India — DPDP Act 2023)

In accordance with the Digital Personal Data Protection Act 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, we have designated a Grievance Officer to address any concerns or complaints regarding the processing of your personal data.

If you have a complaint, concern, or question regarding this Privacy Policy or our data practices, please contact our Grievance Officer:

If you are not satisfied with the resolution provided by our Grievance Officer, you may escalate your complaint to the Data Protection Board of India once it is established under the DPDP Act 2023, or to your relevant local data protection authority.

15. Contact Us

For privacy questions, data requests, or to exercise your rights, use our Contact page. We aim to respond within 72 hours and complete requests within 30 days.

This platform is operated from India and is subject to the Digital Personal Data Protection Act 2023. Where users are located in the European Union or United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and UK GDPR respectively.

This policy was last updated on June 2026. We will update this policy when our practices change and notify registered users of significant changes by email.