Privacy Policy

Last updated: May 12, 2026

IDCardSeva ("we", "us", "our") takes your privacy seriously. This policy explains what data we collect, why we collect it, how we store it, and your rights — written in plain language so a CSC operator can read it once and understand it.

1. Who We Are

IDCardSeva is a SaaS service operated from India that performs AI-driven extraction and rendering of Indian government identity documents. For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), IDCardSeva is the Data Fiduciary with respect to your account data, and acts as a Data Processor for User Content that is processed transiently on your behalf. We rely on the safe-harbour protection of Section 79 of the Information Technology Act, 2000 and comply with the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

2. Data We Collect

Account data — your email address, profile name and avatar (if you sign in with an OAuth provider), and session authentication tokens. Used solely to authenticate you.
Document inputs — when you upload a PDF, scan or photo of a government card, that file is transmitted to our servers and to our AI extraction partner for the sole purpose of extraction. Please see "Storage and retention" below.
Extraction outputs — the structured data returned by the AI (name, date of birth, ID number, address, etc.) is stored in our database against your account so you can re-download the rendered card from your history.
Wallet & payment data — your wallet balance and transaction log. We do not store your card number, CVV, UPI PIN or net-banking credentials. Those are handled exclusively by our licensed payment gateway.
Technical data — IP address, user-agent, page views, and basic device info, used for security, fraud-prevention and product analytics.

3. How We Use Your Data

To deliver the Service you requested (extract a document, render a card, debit the wallet, save to history).
To send transactional emails (OTP, payment receipt, refund confirmation, security alerts).
To investigate suspected fraud, abuse or security incidents.
To improve the Service in aggregate. We do not train AI models on your document data.
To comply with applicable law and respond to lawful authority requests.

4. Storage and Retention

Account data and wallet history are stored on our managed database infrastructure for as long as your account exists, in accordance with Section 8(7) of the DPDP Act.
Document uploads are processed transiently in memory or in temporary storage and deleted as soon as extraction is complete. We do not retain the raw uploaded PDF or image.
Document extraction outputs (the structured JSON and the rendered card image) are kept against your account for retrieval. You can request deletion at any time (see Section 8).
AI requests are sent to our AI extraction partner; that partner's privacy policy applies to the in-flight processing. We do not authorise the AI partner to retain, log or train models on your data.

5. Sharing of Data (Sub-processors)

We share your data only with the following categories of recipients, and only as necessary to provide the Service. Each sub-processor is bound by a written agreement that restricts use of your data to the specific service it provides to us.

Cloud hosting and infrastructure — industry-standard cloud hosting and managed database / authentication providers, used to run the web application and store your account data.
AI inference — our AI extraction partner, for the document-extraction step only.
Payment processing — our licensed payment gateway, for wallet top-ups. We do not see your card / UPI / banking credentials.
Image analysis — third-party computer-vision provider for face and barcode detection (image regions only, no text or PII).
Lawful authorities — when required by Indian law (e.g. a valid court order or written request from a competent authority under the Information Technology Act, 2000 or the DPDP Act, 2023).

We do not sell your data, share it for advertising, or expose your documents to third parties for any other purpose. The current named sub-processor list can be requested from support.idcardseva@gmail.com.

6. Security

All traffic between your browser and IDCardSeva is encrypted via HTTPS (TLS 1.2+).
Database access is gated by row-level security policies — you can read only your own rows.
Server-side secrets (API keys, service role keys) are stored in our cloud provider's encrypted environment-variable system and are never bundled into the browser.
Webhooks from the payment gateway are verified using HMAC signature and a server-to-server status confirmation.
Rate limiting and abuse-detection guards are applied at the edge to prevent automated scraping and credential-stuffing.
Despite reasonable measures, no internet service can guarantee absolute security; you use IDCardSeva at your own risk. In the event of a personal-data breach affecting your account, we will notify you and the Data Protection Board of India in accordance with Section 8(6) of the DPDP Act.

7. Cookies

We use essential cookies and browser storage to keep you signed in (a session cookie issued by our authentication service) and to remember your theme preference. We do not use third-party tracking cookies for advertising.

8. Your Rights as a Data Principal

Under Sections 11 to 14 of the DPDP Act, 2023, you have the following rights:

Right to access information (Sec. 11) — your full extraction history is visible from the Dashboard. Email us if you need a structured export of all personal data we hold about you.
Right to correction & erasure (Sec. 12) — your account profile is editable from the Profile page or by request to support. Inaccurate or misleading personal data will be corrected on verified request.
Right to grievance redressal (Sec. 13) — see Section 12 below for our Grievance Officer contact and timelines.
Right to nominate (Sec. 14) — you may nominate any other person to exercise these rights in the event of your death or incapacity. Send the nomination in writing to support.idcardseva@gmail.com.
Right to erasure of account — request full account deletion by emailing support.idcardseva@gmail.com from the registered email address. Identifiable data will be purged within 7 business days, subject to legal retention requirements (transaction records, tax records, etc.).
Right to withdraw consent — you may stop using the Service at any time. Closure of the account constitutes withdrawal of consent for further processing.

9. Children

IDCardSeva is not directed at children under 18. Per Section 9 of the DPDP Act, 2023, processing of personal data of a child requires verifiable consent of the parent or lawful guardian. We do not knowingly collect, process, or solicit personal data from minors. If you become aware that a minor has created an account or uploaded a document containing their own personal data, please contact us immediately at support.idcardseva@gmail.com and we will purge the data and close the account.

10. Cross-Border Transfer

Some of our infrastructure providers may process data in jurisdictions outside India (e.g. United States, European Union). Such transfers are governed by Section 16 of the DPDP Act, 2023 — personal data may be transferred to any country other than those specifically notified by the Central Government of India as restricted. By using the Service you consent to such transfer. Where required, we rely on standard contractual clauses and data-processing agreements with our providers to ensure equivalent protection.

11. Updates

We may update this Privacy Policy. The "Last updated" date at the top reflects the latest revision. Material changes will be notified via in-app notice or registered email at least 7 days before becoming effective.

12. Grievance Officer & Contact

For grievances under the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act, 2023:

Grievance Officer: IDCardSeva Support Team
Email: support.idcardseva@gmail.com
Phone / WhatsApp: +91 74191 17311
Hours: Monday – Saturday, 10:00 AM – 7:00 PM IST
Acknowledgement timeline: within 24 hours of receipt
Resolution timeline: within 15 days for IT-Rules grievances; within 30 days for DPDP-Act grievances

If you are not satisfied with our resolution, you may approach the Data Protection Board of India under Section 28 of the DPDP Act, 2023.