RUVIENT Technologies Private Limited
Effective Date: 20 May 2026 Version: 2.0 Last Updated: 20 May 2026 Document ID: RUVIENT-LEGAL-PP-2026-002
| Version | Date | Description | Approved By |
|---|---|---|---|
| 1.0 | 01 January 2025 | Initial privacy policy | Legal Team |
| 2.0 | 20 May 2026 | Complete rewrite for DPDP Act 2023 compliance | Legal & Compliance |
For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below:
"Account" means the registered user account created by You on the HomeLift Platform to access and use the Services.
"Applicable Law" means the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and any other applicable legislation, regulation, or statutory instrument in force in India.
"Children" or "Child" means any individual below the age of eighteen (18) years, as defined under Section 9 of the DPDP Act, 2023.
"Consent" means free, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes by which they, by a clear affirmative action, signify agreement to the processing of their Personal Data, as defined under Section 6 of the DPDP Act, 2023.
"Consent Manager" means a person registered with the Data Protection Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw their consent, as defined under Section 6(7) of the DPDP Act, 2023.
"Data Breach" means any unauthorized processing of Personal Data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to Personal Data that compromises the confidentiality, integrity, or availability of Personal Data.
"Data Fiduciary" means RUVIENT Technologies Private Limited, which alone or in conjunction with other persons determines the purpose and means of processing of Personal Data, as defined under Section 2(i) of the DPDP Act, 2023.
"Data Principal" means the individual to whom the Personal Data relates, as defined under Section 2(j) of the DPDP Act, 2023. In the context of this Policy, "You," "Your," or "User" refers to the Data Principal.
"Data Processor" means any person who processes Personal Data on behalf of a Data Fiduciary, as defined under Section 2(k) of the DPDP Act, 2023.
"Data Protection Board" means the Data Protection Board of India established under Section 18 of the DPDP Act, 2023.
"Device Information" means information about the hardware and software of the device used to access the Platform, including but not limited to device model, operating system version, unique device identifiers, mobile network information, and IP address.
"GPS Location" means the precise geographic coordinates (latitude and longitude) of a device as determined by the Global Positioning System or equivalent satellite navigation systems.
"Grievance Officer" means the officer appointed under Section 13(3) of the DPDP Act, 2023, and Rule 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
"HomeLift" or "Platform" means the mobile application, web application, APIs, and all associated services provided by RUVIENT Technologies Private Limited under the brand name "HomeLift."
"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDP Act, 2023.
"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction, as defined under Section 2(x) of the DPDP Act, 2023.
"Sensitive Personal Data" means Personal Data that reveals or relates to health data (including medication schedules), biometric data, financial data, data relating to children, or any other category as may be notified by the Central Government.
"Services" means all features, functionalities, and services offered through the HomeLift Platform, including but not limited to household management, staff attendance tracking, medication scheduling, expense management, and AI-powered assistance.
"Third-Party Processor" means any external entity engaged by RUVIENT Technologies to process Personal Data on its behalf for specified purposes.
"We," "Us," "Our," or "Company" means RUVIENT Technologies Private Limited, a company incorporated under the Companies Act, 2013, having its registered office in India (CIN: [To be inserted]).
"You," "Your," or "User" means any individual who accesses, uses, or registers on the HomeLift Platform.
(a) References to any statute or statutory provision include any subordinate legislation made under it and any modification, amendment, re-enactment, or replacement thereof.
(b) Words in the singular include the plural and vice versa.
(c) Headings are for convenience only and shall not affect the interpretation of this Policy.
(d) References to Sections are references to sections of this Privacy Policy unless otherwise stated.
(e) In the event of any conflict between the English version and any translated version of this Policy, the English version shall prevail.
This Privacy Policy applies to:
(a) All Personal Data collected, processed, stored, or transferred by RUVIENT Technologies Private Limited through the HomeLift Platform;
(b) All users of the HomeLift mobile application (Android and iOS);
(c) All users of the HomeLift web application;
(d) All interactions with HomeLift's AI-powered features, including voice-based interfaces;
(e) All household staff whose attendance and location data is processed through the Platform;
(f) All children whose information is stored on the Platform by their parents or legal guardians.
This Policy applies to the processing of Personal Data:
(a) Within the territory of India, regardless of the nationality or residence of the Data Principal;
(b) Outside India, if such processing is in connection with any activity related to offering goods or services to Data Principals within India, in accordance with Section 3 of the DPDP Act, 2023.
This Privacy Policy is incorporated by reference into the HomeLift Terms of Service (Document ID: RUVIENT-LEGAL-TOS-2026-002). In the event of any conflict between this Policy and the Terms of Service regarding data protection matters, this Policy shall prevail.
The following table provides an exhaustive list of Personal Data categories collected through the HomeLift Platform:
| # | Data Category | Specific Data Elements | Purpose | Legal Basis (DPDP Act) | Retention Period |
|---|---|---|---|---|---|
| 1 | Identity Data | Full name, profile photo | Account creation, identification | Consent (Section 6) | Duration of account + 180 days |
| 2 | Contact Data | Phone number (mobile) | Account identifier; invite-based onboarding (an existing member refers You by name + phone); communication | Consent (Section 6); Legitimate use (Section 7) | Duration of account + 180 days |
| 3 | Location Data (Precise) | GPS coordinates (latitude/longitude), altitude, speed, bearing | Staff attendance geo-verification, location-based services, safety features | Explicit Consent (Section 6) | 90 days (real-time); 2 years (aggregated) |
| 4 | Address Data | Home address, apartment/flat number, building name, city, state, PIN code | Service delivery, household identification | Consent (Section 6) | Duration of account + 180 days |
| 5 | Staff Attendance Data | Check-in/check-out timestamps, GPS coordinates at check-in/out, attendance history, staff member name | Household staff management, attendance verification | Consent (Section 6) of employer and staff | 3 years |
| 6 | Health Data | Medication names, dosage, frequency, schedule times, medication reminders, adherence history | Medication schedule management, health reminders | Explicit Consent (Section 6) | Duration of account + 1 year |
| 7 | Financial Data | Expense categories, amounts, payment descriptions, recurring expense schedules | Household expense tracking, budgeting | Consent (Section 6) | 5 years (tax/audit compliance) |
| 8 | Children's Data | Child's name, school name, school address, class/grade, school schedule, transport details | School management, pickup/drop coordination | Verifiable Parental Consent (Section 9) | Duration of account or until child turns 18 |
| 9 | Voice Data | Voice recordings (Remember Box), transcribed text | Speech-to-text (Cloudflare Workers AI / Whisper) + intent parsing (OpenAI, optional) to suggest tasks/grocery/etc. | Explicit Consent (Section 6) | Raw audio NOT stored (transcribed in transit and discarded); transcript not separately retained — only items You confirm are saved as records |
| 10 | Device Data | Device model, OS version, app version, unique device identifiers (IDFV/Android ID), screen resolution, language settings | App optimization, security, debugging | Legitimate use (Section 7) | 2 years |
| 11 | Usage Analytics | Feature usage patterns, session duration, screen views, tap/interaction events, crash logs, performance metrics | Service improvement, bug fixing, analytics | Legitimate use (Section 7) | 2 years (aggregated); 90 days (raw) |
| 12 | Network Data | IP address, ISP, connection type (WiFi/cellular), network quality metrics | Security, fraud prevention, service optimization | Legitimate use (Section 7) | 90 days |
| 13 | Authentication Data | Session tokens, invite codes, biometric authentication flags | Account security, access control | Legitimate use (Section 7) | Duration of account |
The following data categories are treated with enhanced protection measures as per Section 9 of the DPDP Act, 2023 and the SPDI Rules:
(a) Health Data (medication schedules) — encrypted at rest with AES-256, access restricted to authenticated user only;
(b) Children's Data (school information) — collected only with verifiable parental consent, subject to additional safeguards per Section 3.2(c);
(c) Precise Location Data — collected only when app is in active use (foreground) unless explicit background permission is granted;
(d) Voice Recordings — transmitted over TLS to Our speech-to-text processor (Cloudflare Workers AI / Whisper), converted to text, and NOT stored as audio by Us or, to Our knowledge, retained by the processor beyond the transcription request. The resulting transcript may be sent to OpenAI for intent parsing (only if that feature is enabled); You may type instead of using voice to avoid this processing.
For the avoidance of doubt, HomeLift does NOT collect:
(a) Aadhaar numbers or other government-issued identification numbers; (b) Bank account numbers, credit/debit card numbers, or UPI IDs; (c) Caste, religion, political opinion, or sexual orientation; (d) Genetic or biometric data (fingerprints, facial recognition templates); (e) Criminal conviction or offense data; (f) Social media credentials or contacts from your phone's address book (beyond what you explicitly provide).
The following data is collected when You voluntarily provide it:
| Collection Method | Data Collected | When Collected |
|---|---|---|
| Account Registration | Name, phone number, email | At sign-up |
| Profile Setup | Home address, household details | During onboarding |
| Staff Management | Staff names, roles, schedules | When adding staff |
| Medication Setup | Medication names, dosages, schedules | When configuring reminders |
| Expense Entry | Expense amounts, categories, descriptions | When logging expenses |
| Children's Info | Child name, school details, schedules | When setting up school management |
| Voice Input | Voice recordings | When using voice commands (with active mic permission) |
| Support Requests | Communication content, attachments | When contacting support |
The following data is collected automatically when You use the Platform:
| Collection Method | Data Collected | Technology Used |
|---|---|---|
| Device Sensors | GPS coordinates | Device GPS/GLONASS/Galileo |
| App Analytics | Usage patterns, session data, screen views | Firebase Analytics SDK |
| Crash Reporting | Crash logs, stack traces, device state | Firebase Crashlytics |
| Network Layer | IP address, connection type, latency | Standard HTTP headers |
| Device APIs | Device model, OS version, app version | System APIs |
| Background Services | Staff attendance geo-verification | Geofencing APIs (when permitted) |
| Source | Data Received | Purpose |
|---|---|---|
| Gupshup (WhatsApp Business API) | Message delivery status, read receipts | Communication delivery confirmation |
| Firebase Authentication | Authentication tokens, sign-in method | Account verification |
| App Store / Play Store | Installation source, referral data | Attribution analytics |
(a) Initial Consent: At the time of account registration, You will be presented with a clear, plain-language notice describing the data we collect and the purposes for which it is processed. Your consent is obtained through an affirmative opt-in action (checking a consent box or tapping "I Agree").
(b) Granular Consent: For sensitive data categories (location, voice, health data, children's data), separate and specific consent is obtained at the point of collection through runtime permission dialogs and in-app consent screens.
(c) Withdrawal of Consent: You may withdraw consent at any time through the Privacy Settings section of the app (see Section 9.5). Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
(d) Consent Records: We maintain auditable records of all consent given, modified, or withdrawn, including timestamp, consent version, and method of consent, in compliance with Section 6 of the DPDP Act, 2023.
We process Your Personal Data for the following specified purposes:
| # | Purpose | Data Categories Used | Legal Basis |
|---|---|---|---|
| 1 | Account creation and authentication | Identity, Contact, Authentication | Consent (Section 6) |
| 2 | Household staff attendance management | Staff Attendance, Location | Consent (Section 6) |
| 3 | Medication schedule management and reminders | Health Data | Explicit Consent (Section 6) |
| 4 | Household expense tracking and budgeting | Financial Data | Consent (Section 6) |
| 5 | Children's school schedule management | Children's Data | Verifiable Parental Consent (Section 9) |
| 6 | AI-powered voice assistant | Voice Data, Usage Analytics | Explicit Consent (Section 6) |
| 7 | Push notifications and reminders | Contact Data, Device Data | Consent (Section 6) |
| 8 | WhatsApp notifications | Contact Data (phone number) | Consent (Section 6) |
| 9 | Service improvement and analytics | Usage Analytics, Device Data | Legitimate use (Section 7(b)) |
| 10 | Security and fraud prevention | Device Data, Network Data, Authentication | Legitimate use (Section 7(c)) |
| 11 | Legal compliance and regulatory obligations | All categories as required | Compliance with law (Section 7(e)) |
| 12 | Customer support | Identity, Contact, Usage Analytics | Consent (Section 6); Legitimate use (Section 7) |
| 13 | Bug fixing and crash resolution | Device Data, Usage Analytics, Crash Logs | Legitimate use (Section 7(b)) |
(a) We shall not process Your Personal Data for any purpose other than those specified in Section 5.1 above without obtaining fresh consent.
(b) We shall not use Your Personal Data for automated decision-making that produces legal effects or similarly significant effects on You without explicit consent and human oversight.
(c) We do NOT sell, rent, or trade Your Personal Data to any third party for their marketing purposes.
(d) We do NOT use Your Personal Data for profiling for the purposes of targeted advertising by third parties.
(a) Voice You record in the Remember Box is converted to text by Cloudflare Workers AI (Whisper); the audio is processed in transit and is not stored. The resulting text (and text You type) may be sent to OpenAI's API (see Section 6.0) solely to structure it into suggested items (e.g. a grocery item, task, or reminder), which are saved only if You confirm them. This is an optional feature; You may type instead of speaking.
(b) We do NOT use Your Personal Data to train general-purpose AI models. Your data is used solely to provide You with personalized responses within the HomeLift Platform.
(c) You may opt out of AI features at any time through Settings > Privacy > AI Features without affecting other Platform functionality.
We engage the following third-party Data Processors to process Your Personal Data on Our behalf:
| # | Processor Name | Location | Purpose | Data Processed | DPA Status | Certifications |
|---|---|---|---|---|---|---|
| 1 | Supabase, Inc. | Singapore (AWS ap-southeast-1) | Primary database, authentication, real-time subscriptions | All user data (encrypted) | Executed (DPA v2.1, dated 15 Jan 2026) | SOC 2 Type II, ISO 27001 |
| 2 | Cloudflare, Inc. | Global Edge Network (nearest PoP) | Application backend (Workers); CDN/DDoS/DNS/WAF; Workers AI (Whisper) voice-to-text | Network data, IP addresses; voice audio for transcription (not stored) | [VERIFY/EXECUTE DPA] |
SOC 2 Type II, ISO 27001, PCI DSS |
| 3 | Expo (650 Industries, Inc.) | United States | Push-notification delivery (Expo Push) | Device push token, notification content | [VERIFY/EXECUTE DPA] |
[VERIFY] |
| 4 | Gupshup Technology India Pvt. Ltd. | India (Mumbai) | WhatsApp Business API messaging | Phone numbers, message content (e.g. medicine/bill/task) | [VERIFY/EXECUTE DPA] |
ISO 27001 |
| 5 | OpenAI, LLC | United States | Intent parsing of Remember Box text (optional) | Reminder text / voice transcript | [VERIFY/EXECUTE DPA — enable no-training + zero-retention] |
SOC 2 Type II |
| 6 | Exotel Techcom Pvt. Ltd. | India | Missed-call staff attendance | Caller phone number | [VERIFY/EXECUTE DPA] |
[VERIFY] |
⚠️ Verification required before publication. The DPA status and certification entries above are placeholders. Do not state that a DPA is "Executed" unless a signed agreement is on file. Confirm each processor's region, certifications, and retention terms, then replace the placeholders. Tracked in compliance-checklist.md (H1–H3).
Each Third-Party Processor is contractually bound to:
(a) Process Personal Data only on Our documented instructions;
(b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality;
(c) Implement appropriate technical and organizational security measures as specified in Section 12.0;
(d) Not engage another processor without Our prior specific written authorization;
(e) Assist Us in responding to Data Principal rights requests under Section 9.0;
(f) Delete or return all Personal Data upon termination of the processing agreement;
(g) Make available all information necessary to demonstrate compliance and allow for audits;
(h) Immediately notify Us of any Data Breach affecting Personal Data processed on Our behalf.
(a) We maintain an up-to-date list of Sub-Processors at https://homelift.app/legal/sub-processors.
(b) We will notify You at least thirty (30) days prior to engaging any new Sub-Processor or replacing an existing one.
(c) If You object to a new Sub-Processor, You may terminate Your account within the thirty (30) day notice period, and We will facilitate data export as per Section 9.4.
RUVIENT Technologies remains fully liable for the acts and omissions of its Sub-Processors with respect to the processing of Your Personal Data, in accordance with Section 8(4) of the DPDP Act, 2023.
Your Personal Data may be transferred to and processed in the following jurisdictions:
| Destination | Processor | Data Transferred | Safeguard Mechanism |
|---|---|---|---|
| Singapore | Supabase (AWS) | Primary database (all user data) | Standard Contractual Clauses (SCCs); Adequacy (Section 16(1) DPDP) |
| United States | Expo | Device push tokens, notification content | [DPA — verify]; Data minimization |
| United States | OpenAI | Remember Box reminder text / voice transcript | [DPA — verify; no-training + zero-retention]; Data minimization |
| Global (nearest edge) | Cloudflare | Network metadata; voice audio for transcription (not stored) | [Cloudflare DPA — verify]; transcription in transit only |
| India | Gupshup | Phone numbers, messages | Processed domestically |
| India | Exotel | Caller phone number (staff missed-call attendance) | Processed domestically |
(a) Cross-border transfers are conducted in compliance with Section 16 of the DPDP Act, 2023, which permits transfer of Personal Data to jurisdictions not restricted by the Central Government.
(b) As of the effective date of this Policy, the Central Government has not notified any restricted jurisdictions under Section 16(1). Should any jurisdiction listed in Section 7.1 be subsequently restricted, We will:
In addition to legal compliance, We implement the following safeguards:
(a) Encryption in Transit: All data transferred internationally is encrypted using TLS 1.3 (minimum TLS 1.2);
(b) Encryption at Rest: Data stored in foreign jurisdictions is encrypted using AES-256 with keys managed by RUVIENT Technologies;
(c) Data Minimization: Only the minimum necessary data is transferred to each processor (see Section 6.1, "Data Processed" column);
(d) Contractual Protections: Standard Contractual Clauses (SCCs) equivalent to EU SCCs are incorporated into all processor agreements;
(e) Access Controls: Foreign processors access data only through authenticated, audited API endpoints with role-based access controls;
(f) Regular Audits: We conduct annual assessments of each processor's data protection practices and security posture.
(a) Where technically feasible, We prioritize processing within India or the Asia-Pacific region.
(b) Health Data (medication schedules) is stored exclusively in the Singapore region (Supabase, AWS ap-southeast-1) and is not replicated to US-based systems.
(c) Voice audio is transmitted to Cloudflare Workers AI (Whisper) for transcription and is not stored as audio. The resulting text may be transmitted to OpenAI for intent parsing; configure OpenAI API terms for no model training and zero retention. [VERIFY both processors' retention settings.]
(a) We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, as specified in Section 3.1.
(b) Upon expiry of the retention period, data is either securely deleted or irreversibly anonymized within thirty (30) days.
(c) Retention periods commence from the date of last activity associated with the data, unless otherwise specified.
| # | Data Category | Active Retention | Post-Account Deletion | Legal Hold (if applicable) |
|---|---|---|---|---|
| 1 | Identity Data | Duration of account | 180 days | As required by court order |
| 2 | Contact Data | Duration of account | 180 days | As required by court order |
| 3 | Location Data (real-time) | 90 days | Deleted immediately | 1 year (if subject to investigation) |
| 4 | Location Data (aggregated) | 2 years | Anonymized immediately | N/A (anonymized) |
| 5 | Address Data | Duration of account | 180 days | As required by court order |
| 6 | Staff Attendance Data | 3 years | 3 years from last record | 7 years (employment disputes) |
| 7 | Health Data (medications) | Duration of account | 1 year | As required by court order |
| 8 | Financial Data (expenses) | 5 years | 5 years from creation | 8 years (tax audit) |
| 9 | Children's Data | Until child turns 18 or account deletion | 30 days | As required by court order |
| 10 | Voice Recordings (raw) | 30 days | Deleted immediately | 90 days (if subject to investigation) |
| 11 | Voice Transcriptions | 1 year | 30 days | 1 year (if subject to investigation) |
| 12 | Device Data | 2 years | 90 days | N/A |
| 13 | Usage Analytics (raw) | 90 days | Deleted immediately | N/A |
| 14 | Usage Analytics (aggregated) | 2 years | Anonymized immediately | N/A |
| 15 | Network Data | 90 days | Deleted immediately | 1 year (security incidents) |
| 16 | Authentication Data | Duration of account | Deleted immediately | 90 days (security incidents) |
| 17 | Consent Records | 7 years from consent action | 7 years | Indefinite (regulatory) |
| 18 | Support Communications | 3 years | 3 years from last communication | As required by court order |
(a) Automated Deletion: Data subject to time-based retention is automatically purged by scheduled deletion jobs running daily at 02:00 UTC.
(b) Manual Deletion Requests: Upon receiving a valid erasure request (Section 9.3), deletion is completed within thirty (30) days.
(c) Secure Deletion Methods: Data is deleted using cryptographic erasure (destroying encryption keys) for encrypted data, and secure overwrite (NIST SP 800-88 compliant) for unencrypted data.
(d) Backup Retention: Backups containing deleted data are purged within ninety (90) days of the deletion event. During this period, deleted data in backups is not actively processed or accessible.
Data may be retained beyond the specified periods where:
(a) Required by Applicable Law, court order, or regulatory directive;
(b) Necessary for the establishment, exercise, or defense of legal claims;
(c) Subject to an active legal hold notice;
(d) Required for ongoing investigation of security incidents or fraud.
(a) You have the right to obtain confirmation as to whether Your Personal Data is being processed and, if so, access to such data.
(b) Upon request, We will provide You with:
(c) Access requests can be submitted through: Settings > Privacy > Download My Data, or by emailing privacy@ruvient.com.
(d) We will respond to access requests within seventy-two (72) hours and provide the data within thirty (30) days.
(a) You have the right to correct inaccurate or incomplete Personal Data.
(b) Corrections can be made directly through the app interface for most data categories.
(c) For data that cannot be self-corrected, submit a request to privacy@ruvient.com with supporting documentation.
(d) We will process correction requests within fifteen (15) days and notify all processors to whom the data was disclosed.
(a) You have the right to request erasure of Your Personal Data, subject to the exceptions in Section 8.4.
(b) Erasure requests can be submitted through: Settings > Account > Delete Account, or by emailing privacy@ruvient.com.
(c) Upon receiving a valid erasure request:
(d) Erasure is irreversible. We recommend downloading Your data (Section 9.4) before requesting erasure.
(a) You have the right to receive Your Personal Data in a structured, commonly used, and machine-readable format.
(b) Data export is available through: Settings > Privacy > Export My Data.
(c) Export formats available:
(d) Data export will be prepared within seventy-two (72) hours and available for download for seven (7) days.
(a) You may withdraw consent for any or all processing activities at any time.
(b) Granular consent withdrawal is available through: Settings > Privacy > Manage Permissions.
(c) You may withdraw consent for specific categories:
(d) Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
(e) Certain core functionalities may be unavailable if consent for essential processing is withdrawn. We will clearly inform You of the consequences before processing the withdrawal.
(a) You have the right to lodge a complaint with Our Grievance Officer (see Section 14.0) regarding any processing of Your Personal Data.
(b) If You are not satisfied with Our response, You have the right to file a complaint with the Data Protection Board of India.
(c) The complaint process is:
(a) You have the right to nominate any other individual who shall, in the event of Your death or incapacity, exercise Your rights under this Policy.
(b) Nomination can be made through: Settings > Privacy > Nominate Representative.
(a) HomeLift processes children's data (school information, schedules) solely at the direction of and with the verifiable consent of the child's parent or legal guardian.
(b) We do NOT permit children under the age of eighteen (18) to create accounts independently.
(c) All children's data is entered and managed exclusively by the parent/guardian account holder.
(a) Before any children's data is collected, We obtain verifiable parental consent through:
(b) Parents/guardians may withdraw consent for children's data processing at any time through: Settings > Family > [Child Name] > Remove Child Data.
In compliance with Section 9 of the DPDP Act, 2023:
(a) We do NOT process children's data in any manner that is likely to cause detrimental effect on the well-being of the child;
(b) We do NOT undertake tracking, behavioral monitoring, or targeted advertising directed at children;
(c) We do NOT share children's data with any third party except as strictly necessary for the specified purpose (school schedule management);
(d) Children's data is stored with enhanced encryption and access controls (see Section 12.0);
(e) We do NOT use children's data for AI model training or analytics beyond aggregate, anonymized usage statistics.
(a) We collect only the minimum data necessary for school schedule management:
(b) We do NOT collect: child's photograph, date of birth, academic records, health information, or social interactions.
(a) If a parent/guardian removes a child from their account, all associated children's data is permanently deleted within seven (7) days.
(b) When a child reaches the age of eighteen (18) (if date of birth is provided), We will notify the parent/guardian and request confirmation to either delete the data or transfer management to the now-adult individual.
The HomeLift Platform (including web views within the mobile app) uses the following tracking technologies:
| Technology | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| Firebase Analytics SDK | Usage analytics, event tracking | Session + 2 years | First-party | |
| Firebase Crashlytics | Crash reporting, stability monitoring | Session | First-party | |
| Cloudflare __cfduid | Cloudflare | Security (bot detection) | 30 days | Strictly necessary |
| Cloudflare __cf_bm | Cloudflare | Bot management | 30 minutes | Strictly necessary |
| Session Storage | HomeLift | Authentication state, UI preferences | Session | Strictly necessary |
| Local Storage | HomeLift | Offline data cache, user preferences | Persistent | Functional |
(a) Strictly Necessary: Required for the Platform to function. Cannot be disabled. Includes security cookies and authentication tokens.
(b) Functional: Enable enhanced functionality and personalization. Includes language preferences and UI settings.
(c) Analytics: Help Us understand how the Platform is used. Includes Firebase Analytics events.
(a) Analytics tracking can be disabled through: Settings > Privacy > Analytics > Disable.
(b) Disabling analytics does not affect core Platform functionality.
(c) Strictly necessary cookies cannot be disabled as they are essential for security and basic functionality.
(a) HomeLift respects the "Limit Ad Tracking" (iOS) and "Opt out of Ads Personalization" (Android) device settings.
(b) We do not serve advertisements and therefore do not participate in ad tracking networks.
We implement the following technical security measures to protect Your Personal Data:
(a) Encryption at Rest:
(b) Encryption in Transit:
(c) Access Controls:
(d) Network Security:
(e) Application Security:
(a) Personnel:
(b) Policies and Procedures:
(c) Audits and Assessments:
(a) All data is hosted in Tier III+ data centers (AWS Singapore, Google Cloud US) with:
(b) RUVIENT Technologies does not maintain on-premises servers containing Personal Data.
(a) We maintain continuous monitoring systems to detect potential Data Breaches, including:
In compliance with Section 8(6) of the DPDP Act, 2023:
(a) Upon becoming aware of a Personal Data Breach, We will notify the Data Protection Board of India within seventy-two (72) hours;
(b) The notification will include:
(a) We will notify affected Data Principals without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach;
(b) Notification will be provided through:
(c) The notification will include:
(a) Containment (0-4 hours): Isolate affected systems, revoke compromised credentials, preserve evidence;
(b) Assessment (4-24 hours): Determine scope, identify affected data and individuals, assess risk;
(c) Notification (24-72 hours): Notify Data Protection Board and affected individuals;
(d) Remediation (72 hours - 30 days): Implement fixes, enhance controls, conduct root cause analysis;
(e) Review (30-90 days): Post-incident review, update security measures, document lessons learned.
In compliance with Section 13(3) of the DPDP Act, 2023, and Rule 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, We have appointed the following Grievance Officer:
Name: [Grievance Officer Name] Designation: Data Protection & Grievance Officer Organization: RUVIENT Technologies Private Limited Email: grievance@ruvient.com Phone: [Phone Number] Address: [Registered Office Address], India
(a) Submission: Grievances may be submitted via:
(b) Acknowledgment: Within forty-eight (48) hours of receipt.
(c) Investigation: The Grievance Officer will investigate the complaint and may request additional information from You.
(d) Resolution: Within thirty (30) days of receipt of the grievance, or such extended period as may be communicated with reasons.
(e) Escalation: If You are dissatisfied with the resolution, You may:
The Grievance Officer is responsible for:
(a) Receiving and acknowledging all data protection complaints; (b) Investigating complaints and coordinating with relevant teams; (c) Ensuring timely resolution within statutory timelines; (d) Maintaining records of all grievances and their resolution; (e) Reporting to the Data Protection Board as required; (f) Conducting periodic reviews of data protection practices.
(a) We reserve the right to modify this Privacy Policy at any time to reflect changes in:
(a) Material Changes: For changes that materially affect Your rights or the processing of Your Personal Data, We will:
(b) Non-Material Changes: For minor changes (typographical corrections, formatting, clarifications that do not alter meaning), We will update the "Last Updated" date and version number without individual notification.
(a) Your continued use of the Platform after the effective date of a modified Policy constitutes acceptance of the modified terms, except where re-consent is required.
(b) If You do not agree with the modified Policy, You must discontinue use of the Platform and may request account deletion (Section 9.3).
Previous versions of this Privacy Policy are available at https://homelift.app/legal/privacy-policy/archive and upon request to privacy@ruvient.com.
This Privacy Policy shall be governed by and construed in accordance with the laws of India, including but not limited to:
(a) The Digital Personal Data Protection Act, 2023; (b) The Information Technology Act, 2000; (c) The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; (d) The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; (e) Any rules, regulations, or notifications issued by the Central Government or the Data Protection Board of India.
(a) Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India.
(b) This is without prejudice to Your right to approach the Data Protection Board of India for complaints under the DPDP Act, 2023.
(a) In the event of any conflict between this Policy and Applicable Law, the provisions of Applicable Law shall prevail.
(b) If any provision of this Policy is found to be inconsistent with Applicable Law, that provision shall be deemed modified to the minimum extent necessary to achieve compliance, and all other provisions shall remain in full force and effect.
RUVIENT Technologies Private Limited [Registered Office Address] [City, State, PIN Code], India CIN: [Company Identification Number]
| Purpose | Channel | Contact |
|---|---|---|
| General Privacy Inquiries | privacy@ruvient.com | |
| Data Subject Rights Requests | Email / In-App | privacy@ruvient.com / Settings > Privacy |
| Grievances | grievance@ruvient.com | |
| Security Concerns | security@ruvient.com | |
| Legal Notices | Registered Post | [Registered Office Address] |
| General Support | In-App / Email | support@homelift.app |
| Request Type | Acknowledgment | Resolution |
|---|---|---|
| Access Request | 72 hours | 30 days |
| Correction Request | 48 hours | 15 days |
| Erasure Request | 48 hours | 30 days |
| Data Export | 48 hours | 72 hours |
| Grievance | 48 hours | 30 days |
| Security Report | 24 hours | Case-dependent |
By using the HomeLift Platform, You acknowledge that You have read, understood, and agree to be bound by this Privacy Policy. If You do not agree with any part of this Policy, please do not use the Platform.
RUVIENT Technologies Private Limited Document ID: RUVIENT-LEGAL-PP-2026-002 Classification: Public Effective Date: 20 May 2026 Next Review Date: 20 November 2026
© 2026 RUVIENT Technologies Private Limited. All rights reserved.
© 2026 RUVIENT Technologies Private Limited · Privacy · Terms · Delete account