PRIVACY POLICY

Version: 1.0

Last Updated: 19th May, 2026

This Privacy Policy explains how Barabar Labs ("we," "us," or "our") collects, uses, shares, and protects your personal data when you use the Barabar App ("App"). It is issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. By creating an account and accepting our Terms of Service, you consent to the practices described in this policy. If you do not agree, please do not use the App.

1. Information We Collect

To provide our services and prevent fraud, we collect the following personal data, which may include Sensitive Personal Data or Information (SPDI) as defined under IT Rules 2011:

• Identity Data: Mobile number (mandatory), full legal name, and display name.
• Financial & Transaction Data: Expenses added, settlement amounts, repayment timestamps, and UPI IDs. Essential for the core functionality of bill splitting.
• Device Data: Device model, OS version, unique device identifiers (e.g., Android ID), and IP address. Used to detect fraud and prevent multiple account abuse.
• Social Graph: Information about users you interact with on the App (e.g., who you split bills with), used to build your network profile and Trust Score.
• Date of Birth: Collected solely to verify that you are 18 years of age or older, as required to use the App.
• Consent Records: The date, time, IP address, and version number of the Terms of Service and Privacy Policy accepted at registration, maintained as an immutable audit record under the DPDP Act, 2023.

2. How We Use Your Data

We process your personal data only for the following specified purposes:

• Facilitating bill splitting, expense tracking, and sending payment reminders ("Nudges").
• Calculating a proprietary "Trust Score" based on your repayment behaviour, average monthly debt, and settlement times. This score is used internally to improve the App and, with notice to you, to provide pre-screened offers for relevant financial products (e.g., credit cards or loans) from our financial partners. We do not make automated lending or credit decisions; we only facilitate introductions to partners who make their own independent assessments.
• Detecting and preventing fraud, spam, and account abuse.
• Communicating service updates, security alerts, and account-related notifications.
• Complying with applicable legal obligations (e.g., court orders, law enforcement requests).

We will not use your personal data for any purpose beyond those listed above without providing you with prior notice and, where required by the DPDP Act, obtaining your explicit, specific consent.

3. Data Sharing & Monetisation

We do not sell your personal contact information (name or phone number) to third parties. We may share data in the following circumstances:

• Financial Partners: We may share derived data (e.g., Trust Score, anonymised spending patterns) with banks, NBFCs, and fintech companies to provide you with pre-screened financial product offers. This sharing is for your benefit and does not include raw personal data such as your name, phone number, or UPI ID.
• Service Providers: We share data with third-party vendors strictly necessary to operate the App, including OTP delivery (MSG91), cloud infrastructure (Amazon Web Services — see Section 4), and push notification services. These providers are contractually bound to use your data only for the purpose of delivering their service to us and may not use it for their own commercial purposes.
• Legal Authorities: We will disclose personal data to Indian law enforcement, regulatory bodies, or courts where required by applicable law or to protect our legitimate legal rights.

4. Cross-Border Data Transfers

The App's infrastructure is hosted on Amazon Web Services (AWS), which operates data centres in India and internationally, including in the United States. As a result, your personal data may be transferred to, stored in, or processed in countries outside India. We take appropriate contractual and technical safeguards to protect your data in such transfers and require our cloud service providers to maintain data protection standards consistent with applicable Indian law. By using the App, you consent to this transfer as described herein.

5. Data Security & Retention

Security: We use AES-256 encryption for sensitive personal data at rest, HTTPS for all data in transit, and cryptographic blind-index hashing for searchable fields such as phone numbers. Access to production systems is restricted to authorised personnel only. No method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

Retention Periods:

• Active account data: Retained for the duration your account is active, and for 90 days after account deletion to allow for account recovery.
• Financial and transaction records: Retained for a minimum of 7 years from the date of the transaction, as required by Indian financial regulations including the Income Tax Act and the Prevention of Money Laundering Act, 2002.
• Fraud and security logs: Retained for up to 3 years to support fraud investigation and prevention.
• Consent records (acceptance date, IP, version): Retained permanently, as they form part of our compliance record under the DPDP Act, 2023.

6. Data Breach Notification

In the event of a personal data breach that is likely to result in harm to you, we will notify the Data Protection Board of India and affected users as required under the DPDP Act, 2023. Our breach notification will include: the nature of the data affected, the likely consequences of the breach, the measures we have taken or propose to take to address it, and any steps you should take to protect yourself. We will make every effort to notify you without undue delay.

7. Cookies and Tracking

The Barabar mobile App does not use browser cookies. Our website (barabar.co.in) may use cookies and similar tracking technologies to measure usage and improve the experience. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent without affecting your ability to use the App.

8. Children's Privacy

The App is not intended for anyone under the age of 18. We enforce this through mandatory date-of-birth verification at registration; any registration attempt by a person under 18 is rejected. We do not knowingly collect personal data from children. In accordance with Section 9 of the DPDP Act, 2023, we do not conduct behavioural tracking or targeted advertising directed at minors.

If you are a parent or guardian and believe your child has provided us with personal data, please contact our Grievance Officer at grievance@barabar.co.in and we will delete the data promptly.

9. Your Rights Under the DPDP Act, 2023

As a Data Principal under the DPDP Act, 2023, you have the following rights. To exercise any of these rights, contact our Grievance Officer at grievance@barabar.co.in. We will acknowledge your request within 24 hours and resolve it within 15 days.

• Right to Access (§12): You may request a summary of the personal data we hold about you and the purposes for which it is being processed.
• Right to Correction & Completeness (§12): You may request that we correct inaccurate, incomplete, or outdated personal data. Note that certain fields (e.g., date of birth) cannot be changed after registration, as disclosed at the time of sign-up.
• Right to Erasure (§12): You may request deletion of your account and associated personal data. Transaction records involving other users may be retained in anonymised form to maintain the integrity of their ledgers. Data required to be retained by law will not be deleted (see Section 5).
• Right to Withdraw Consent (§6): You may withdraw your consent to the processing of your personal data at any time by deleting your account in the App or by writing to our Grievance Officer. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Upon withdrawal, we will stop processing your data for all non-essential purposes within 15 days.
• Right to Grievance Redressal (§13): You have the right to have your concerns addressed by our Grievance Officer. If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India (see Section 11).
• Right to Nominate (§14): You may nominate another individual to exercise your rights under the DPDP Act on your behalf in the event of your death or incapacity. To register a nomination, contact our Grievance Officer.

10. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the contact details of our Grievance Officer are:

Name: Snehal Mishra
Email: grievance@barabar.co.in
Address: Second Floor, C1-27, Ardee City, Sector 52, Gurugram, Haryana – 122003

We will acknowledge all complaints within 24 hours of receipt and resolve them within 15 days. If your complaint is not resolved satisfactorily within this period, you may escalate to the Data Protection Board of India as described in Section 11.

11. Data Protection Board of India

If you are not satisfied with our response to your grievance, you have the right to approach the Data Protection Board of India ("DPBI") under Section 13 of the DPDP Act, 2023. The DPBI is the statutory authority empowered to adjudicate complaints under the Act. Information on filing a complaint will be available on the Ministry of Electronics and Information Technology (MeitY) website once the Board is fully constituted.