Privacy Policy

Effective date: 1 January 2026. This Privacy Policy is issued in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Consumer Protection Act, 2019.

1. Who we are

rupAIya (“rupAIya”, “we”, “us”, or “our”) operates an Indian financial marketplace that pays software developers in Indian Rupees (INR) for viewing advertisements served inside developer tools, including but not limited to AI coding assistants and integrated development environments. Advertisers pay us on a per-impression basis. We share a fixed percentage of net advertising revenue with users via the Unified Payments Interface (UPI). For the purposes of the DPDP Act, rupAIya is the Data Fiduciary in respect of all personal data processed through the rupAIya platform, including the web application, browser and editor extensions, and supporting backend services.

This Privacy Policy explains in detail what personal data we collect about you, the legal grounds on which we process it, the third parties with whom we share it, how long we retain it, and the rights that you, as a Data Principal, have under Indian law. We have written this Policy in plain language so that an ordinary person of average literacy can understand it without specialist legal assistance, as required by Section 5 of the DPDP Act.

2. Categories of personal data we collect

Depending on whether you sign up as a developer (user), as an advertiser, or simply browse the rupAIya website without creating an account, we may collect the following categories of personal data:

• Identity data: your full name and the display name associated with your Google or GitHub account, your e-mail address, and a profile image URL provided by the identity provider.
• Financial data: your Unified Payments Interface (UPI) Virtual Payment Address used to receive payouts; your Permanent Account Number (PAN) once your lifetime payout earnings cross statutory thresholds; your Goods and Services Tax Identification Number (GSTIN) and registered business address if you are an advertiser; and your razorpay customer identifier where applicable.
• Behavioural and transactional data: ad impressions attributed to your account, the campaigns to which those impressions relate, the earnings generated, payout history, referral relationships, streaks and bonuses, and the timestamps associated with each event.
• Technical data: your Internet Protocol (IP) address, user-agent string, a device fingerprint derived from your editor installation, the extension instance identifier, approximate geolocation inferred from IP, the operating system and IDE version reported by the extension, and authentication cookies necessary to maintain your logged-in session.
• Correspondence: e-mails, support tickets, and chat transcripts that you send to us, including any personal data that you voluntarily include in those communications.

We do not knowingly collect biometric data, genetic data, caste, tribe, religious or political beliefs, or any other category of data that the DPDP Act or its subordinate rules may, from time to time, designate as deserving of heightened protection. We do not collect or process the personal data of children below the age of eighteen (18). The rupAIya service is restricted to adult users in accordance with Section 9 of the DPDP Act.

3. Purposes for which we process your personal data

We process your personal data strictly for the specific, lawful purposes for which you have given consent or for which processing is otherwise permitted under the DPDP Act, including the following legitimate uses:

• To create and authenticate your account, including verification of your e-mail address through Google or GitHub OAuth.
• To attribute advertising impressions to your account, calculate earnings, apply daily and weekly caps, manage rolling balances, and credit pending balances to cleared status after the contractual clearance period.
• To process payouts to your UPI Virtual Payment Address through our payout partner, including the calculation and withholding of platform fees, taxes deductible at source where applicable, and the issuance of receipts.
• To bill advertisers, generate tax invoices that comply with the Central Goods and Services Tax Act, 2017, and report transactions to payment gateways and tax authorities as required by law.
• To detect and prevent fraud, abuse, ad-stuffing, click farms, mule accounts, and other anomalies that could undermine the integrity of the marketplace; this includes algorithmic risk scoring and the generation of anomaly flags reviewed by our trust and safety team.
• To provide customer support, respond to grievances, and comply with obligations imposed by law enforcement, courts, or regulatory bodies.
• To send transactional communications about your account, payouts, and policy changes. We do not send marketing e-mails without your separate consent and you may withdraw such consent at any time.

4. Legal basis for processing

We rely on the following lawful grounds under the DPDP Act: (a) your free, specific, informed, unconditional, and unambiguous consent given through a clear affirmative action at the time of account creation; (b) performance of the contract between you and rupAIya, including the contractual obligation to pay you for delivered impressions; (c) compliance with applicable Indian law, including taxation, anti-money laundering, and consumer-protection statutes; and (d) other certain legitimate uses recognised under Section 7 of the DPDP Act, such as responding to medical emergencies or threats to public health and order. Where consent is the basis, you may withdraw your consent at any time by writing to our Grievance Officer; withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.

5. Third parties and data processors

We engage carefully selected third-party processors who are contractually bound to process personal data only on our documented instructions and to implement appropriate security safeguards. The principal categories of recipients are:

• Identity providers: Google LLC (Google OAuth) and GitHub, Inc. (GitHub OAuth) authenticate users at the point of sign-in and return basic profile information to us.
• Payment gateways: Razorpay Software Private Limited collects payments from advertisers and Cashfree Payments India Private Limited disburses payouts to users via UPI. These entities are regulated by the Reserve Bank of India and act as independent data fiduciaries in respect of the payment-instrument data they collect.
• Hosting and database providers: Vercel Inc. provides edge-network application hosting and Neon Inc. provides the managed PostgreSQL database in which we store user records. These vendors process personal data on our behalf under data-processing addenda.
• Communications and analytics: transactional e-mail providers used to send sign-in links, payout receipts, and grievance acknowledgements.
• Professional advisers: chartered accountants, tax consultants, lawyers, and auditors engaged under duties of confidentiality.
• Law-enforcement and government authorities: where disclosure is required by a valid order under Indian law, including orders under the Code of Criminal Procedure, 1973 and the Income Tax Act, 1961.

We do not sell personal data to data brokers, advertising networks, or any other third party. We do not use personal data to train large language models or other artificial-intelligence systems beyond the narrow technical purpose of anomaly detection within the rupAIya platform itself.

6. Cross-border transfers

Some of our processors, including Vercel and Neon, may store or process personal data on servers located outside India, principally in the United States and the European Union. The Central Government of India has not, as of the effective date of this Policy, notified a restricted list of countries under Section 16 of the DPDP Act, and accordingly such transfers are presently lawful. We rely on contractual safeguards, encryption in transit and at rest, and access controls to protect personal data wherever it is processed. Should the Central Government notify restrictions in the future, we will promptly relocate affected data or terminate the relevant processing.

7. Retention periods

We retain personal data only for as long as is reasonably necessary for the purpose for which it was collected, subject to longer retention periods imposed by statute. Specifically:

• Account records: until you request erasure, after which we soft-delete the account and retain a residual record for ninety (90) days to allow recovery in case of inadvertent deletion, followed by hard deletion.
• Impression and earnings data: seven (7) years from the date of the transaction, in alignment with the record-keeping obligations under the Companies Act, 2013 and the Income Tax Act, 1961.
• Tax invoices and payout receipts: eight (8) years from the end of the relevant financial year, in line with Rule 56 of the Central Goods and Services Tax Rules, 2017.
• Anti-fraud logs, IP addresses, and device fingerprints: eighteen (18) months from collection unless required for an ongoing investigation.
• Grievance correspondence: three (3) years from closure of the grievance.

8. Your rights as a Data Principal

Subject to the conditions set out in Chapter III of the DPDP Act, you have the following rights in respect of your personal data:

• Right to information and access:you may request a summary of the personal data we hold about you, the purposes of processing, and the identities of recipients. You may exercise this right at any time from your Settings page using the “Download my data” button.
• Right to correction and completion: you may correct inaccurate or misleading information and complete incomplete records by editing your Settings page or by writing to the Grievance Officer.
• Right to erasure:you may request erasure of your personal data using the “Delete my account” button on the Settings page. We will honour the request unless retention is required by law, including for the purpose of fulfilling tax obligations or completing pending payouts.
• Right to grievance redressal: you may file a grievance with our Grievance Officer using the contact details in Section 11. We will acknowledge your grievance within forty-eight (48) hours and respond substantively within seven (7) days.
• Right to nominate: you may nominate another individual to exercise your rights in the event of your death or incapacity by writing to the Grievance Officer.

9. Security safeguards

We implement reasonable security practices and procedures commensurate with the sensitivity of the personal data we hold. These include transport-layer encryption for all traffic, encryption at rest of Personal Account Number and Unified Payments Interface identifiers, principle-of-least-privilege access controls, multi-factor authentication for administrative access, structured audit logging, rate limiting, origin checks on state-changing requests, and routine third-party security review. In the event of a personal-data breach likely to result in harm to affected Data Principals, we will notify the Data Protection Board of India and affected users in accordance with Section 8(6) of the DPDP Act and the rules made thereunder.

10. Children

The rupAIya service is intended exclusively for individuals who have attained eighteen (18) years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that a child has provided personal data to us, please contact our Grievance Officer and we will erase the data without undue delay.

11. Grievance Officer

In accordance with Section 8(10) of the DPDP Act and Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we have appointed a Grievance Officer to receive and address concerns regarding the processing of your personal data. The Grievance Officer may be contacted at tejmgokani@gmail.com. Please see our Contact page for postal address and telephone details. We aim to acknowledge grievances within forty-eight (48) hours and to respond substantively within seven (7) days.

If you are not satisfied with the response of the Grievance Officer, you may approach the Data Protection Board of India once it has been constituted under the DPDP Act.

12. Changes to this Policy

We may amend this Privacy Policy from time to time to reflect changes in law, in our services, or in our data-processing practices. Material changes will be notified to you by e-mail and through an in-app banner at least seven (7) days before they take effect. Continued use of the rupAIya service after the effective date of an amendment constitutes acceptance of the amended Policy.