Privacy Policy
Last updated: April 2026·Version: v1
Introduction
Enchamber (“we”, “us”, “our”) is a secure content sharing platform operated from India. This Privacy Policy explains what personal data we collect, how we use it, where it is stored, how long we keep it, and the rights you have over it.
We handle personal data in accordance with the Information Technology Act, 2000 (and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 made under it), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Digital Personal Data Protection Act, 2023, and the CERT-In Directions, 2022. This Policy applies to everyone who uses enchamber.com or receives an Enchamber link.
What personal data we collect
We collect the following categories of personal data:
- Account information: your email address and an account password (stored as a hash — see below).
- Shares you create: share title, type (file or text), expiry date, unique link slug, and the content or files you upload.
- Share activity: when a share is viewed or downloaded — event type and timestamp. In Phase 1, these events do not contain any identifying information about the viewer.
- Consent records: when you sign up, we record your email, the timestamp, your IP address, the version of this Policy you consented to, and the type of consent given (service signup + age declaration). These records are legal evidence of your consent and are retained as described in the Data retention section below.
Sensitive personal data
Account passwords and any share passwords you set are treated as sensitive personal information under the SPDI Rules, 2011. They are hashed using bcrypt with a SHA-256 pre-hash before storage. We never store them in plain text and Enchamber staff cannot see or recover them. For more detail on our security practices, see the Security page.
How we use your data
We use your personal data only for the purposes of providing the Enchamber service: creating and maintaining your account, hosting and delivering the shares you create, enforcing expiry and access controls, providing analytics to you about your own shares, preventing abuse, and complying with Indian law.
We do not sell your personal data. We do not share it with any third party except the named sub-processors listed below, which are bound by their respective Data Processing Agreements. We do not use your content to train machine-learning models. If we ever add a processing purpose beyond service delivery (for example, an optional AI feature), we will update this Policy and ask for fresh, specific, opt-in consent before the feature is activated on your account.
Sub-processors
We use the following named sub-processors to operate Enchamber. Each is bound by a Data Processing Agreement or equivalent terms covering data protection obligations.
| Provider | Role | Personal data processed | Region | Agreement |
|---|---|---|---|---|
| Supabase | Authentication + PostgreSQL database | Email, share metadata, share events, consent records | Mumbai, India | supabase.com/dpa |
| Cloudflare R2 | File storage | Uploaded file contents | APAC | cloudflare.com/dpa |
| Railway | Application hosting | Request data in transit (emails, passwords in transit, uploads in transit) | Singapore | railway.app/legal |
We will update this list before integrating any new sub-processor that processes your personal data.
Data retention
We retain personal data only as long as needed for the purposes above or as required by law. When an account is deleted, associated data is purged as described below — see also How to exercise your rights.
| Data type | Retention period | Legal basis |
|---|---|---|
| Account and profile | Until account deletion, then immediately purged | DPDPA storage limitation |
| Share metadata and content | Until the share is deleted or the account is deleted | DPDPA storage limitation |
| Uploaded files | Until the share is deleted or the account is deleted | DPDPA storage limitation |
| Share activity events (view, download) | Account lifetime; deleted on account deletion | Service delivery; CERT-In 180-day minimum satisfied |
| Consent records | Account lifetime + 3 years after account deletion | Legitimate interest — legal evidence of consent under DPDPA |
| Security and access logs | At least 180 days, then auto-purged | CERT-In Directions, 2022 |
Your rights
As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights in respect of personal data we hold about you:
- Right to access: to see what personal data we hold about you and a summary of how it is processed.
- Right to correction: to correct inaccurate or outdated personal data about you.
- Right to erasure: to have your personal data deleted.
- Right to grievance redressal: to raise a complaint with our Grievance Officer about how we have handled your personal data.
- Right to nominate: to nominate another person to exercise these rights on your behalf in the event of your death or incapacity.
How to exercise your rights
- Access and correction: your account email and basic account details are visible in Settings. To update your email, reply to any account email or write to hello@enchamber.com. A full data export will be available in Phase 2.
- Erasure: sign in and go to Settings → Danger Zone → Delete Account. Deletion is immediate and permanent across our database and file storage. Your authentication record is also removed. Consent records are retained in an anonymised form (without your user ID) for 3 years as legal evidence, as noted in the retention table above.
- Grievance redressal: email our Grievance Officer at hello@enchamber.com. Grievances are acknowledged within 24 hours and resolved within 15 days of receipt. Grievance Officer contact details are on our About page.
- Nomination: email hello@enchamber.com with details of the nominated person and a copy of the relevant document evidencing the nomination. We will acknowledge within 24 hours.
Cross-border data transfer
Your personal data is processed in the following locations:
- Database (Supabase): Mumbai, India.
- Application hosting (Railway): Singapore.
- File storage (Cloudflare R2): APAC region (exact data centre location not disclosed by Cloudflare).
Each sub-processor is bound by a Data Processing Agreement or equivalent terms. We monitor the Central Government’s publication of the DPDPA cross-border transfer restrictions list and will update our infrastructure if any country we use is added to it.
Children's data
Enchamber is strictly for users aged 18 years or older. We do not knowingly collect personal data from anyone under 18. At signup you are required to confirm your age. If we become aware that an account belongs to a person under 18, the account is immediately deleted along with all associated data.
Consent
We collect your personal data only with your consent or as otherwise permitted by law. At signup you are shown a plain-language notice of what we collect and must tick two mandatory checkboxes: one agreeing to this Privacy Policy and our Terms of Service, and one confirming you are 18 or older. A server-side record of each consent is stored (email, IP address, timestamp, and the version of this Policy you consented to).
You can withdraw your consent at any time by deleting your account from Settings → Danger Zone. Deleting your account withdraws all consent for service processing and permanently removes your data as described above.
Signup also offers a separate, optional checkbox to receive product updates, tips, and feedback requests. This is independent of the two mandatory consents above and is unchecked by default. If you opt in, you can withdraw at any time from Settings → Communications, or by replying UNSUBSCRIBE to any such email.
If we materially change this Policy — for example, by adding a new sub-processor, a new processing purpose, or extending a retention period — we will increment the version number shown at the top of this page and, where required, ask existing users to re-consent at next sign-in.
Data breach commitment
If we detect a personal data breach, we will report it to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of detection, as required by the CERT-In Directions, 2022, and notify affected users without undue delay. Where DPDPA requires, we will also notify the Data Protection Board. Further detail on our incident-response commitments is on the Security page.
Contact
For any question about this Privacy Policy or how we handle your personal data — or to exercise any of the rights described above — email our Grievance Officer at hello@enchamber.com. Full contact details are on our About page.
This Privacy Policy is governed by the laws of India. Any dispute arising out of or in connection with it shall be subject to the exclusive jurisdiction of the courts of Bangalore.