Privacy Policy — Amar Astha

Overview

Amar Astha ("we", "our", or "the App") provides mobile services for account management, KYC verification, real-time chat, and customer support. This Privacy Policy explains what information we collect, why we collect it, how we use and share it, how long we retain it, the rights you have over your data, and how to contact us.

Please read this policy carefully. By using the App you consent to the collection, use and sharing of your information as described in this policy.

1. Data We Collect

1.1 Personal and Profile Information

• Name
• Father's name and Mother's name
• Date of birth
• Gender
• Email address
• Phone number

Collected when you register, update your profile or provide information to enable account creation and identification. (See: registration and profile flow.)

1.2 Identity Documents and Biometrics

• Photographs of identity documents (e.g. NID front and back)
• Selfie images captured for face verification and liveness checks

These files are uploaded when you complete KYC verification. Liveness detection may be performed via a third-party plugin; selfie images and KYC files are transmitted to our backend for verification and storage.

1.3 Authentication and Security Data

• PIN (six-digit), stored as a hash or derived value in secure storage
• Biometric preferences (e.g. whether you enabled biometric unlock)
• Device identifiers (UUID generated and stored locally)

We store hashes and preferences on the device using secure storage. We do not store raw PINs.

1.4 Communication Content and Media

• Chat messages (text)
• Uploaded chat media: images and voice recordings

Chat text and media may be stored on our backend server and/or Firebase Realtime Database to enable real-time messaging and message history.

1.5 Push Notification Tokens and Related Metadata

• Firebase Cloud Messaging (FCM) token
• Token registration metadata (timestamp, device ID)

We collect the FCM token to send push notifications to your device. Tokens may be stored in Firebase Realtime Database and/or in our server database.

1.6 Device and Usage Data

• Device model, OS version, app version
• Network status and connectivity information
• Analytics events (e.g. app opens, feature usage)

We use this information to monitor and improve the App and to troubleshoot issues.

2. How We Use Your Information

We use collected data for the following purposes:

• To provide and operate the App’s features (account creation, login, profile management).
• To verify your identity (KYC) and support compliance with applicable regulations.
• To enable real-time chat and to deliver media (images, voice) between users and support staff.
• To send transactional messages and push notifications (e.g. security alerts, updates).
• To secure accounts and detect misuse or fraud (PIN/hash checks, device binding, failed-attempt lockouts).
• To analyze and improve the App through analytics and performance monitoring.

3. Legal Basis for Processing (if applicable)

Where required by law (for example, in regions covered by data protection laws), we rely on the following legal bases: user consent (for KYC, camera/microphone uploads), performance of a contract (providing services you request), legitimate interests (fraud detection, security, app improvements), and compliance with legal obligations.

4. Sharing and Disclosure of Data

4.1 Service Providers and Third Parties

We may share personal data with third-party service providers who perform services on our behalf. These include:

• Firebase (Realtime Database and FCM) for real-time messaging and push notifications.
• Analytics providers such as Facebook App Events for aggregated analytics.
• Identity verification or KYC service providers if you opt into third-party verification flows.

4.2 Your Backend and Infrastructure

Files and data you upload (KYC images, chat media) are transmitted to our backend server (baseUrl: https://amarastha.shop in the app code) and may be stored there.

4.3 Legal Requirements

We may disclose information when required by law, in response to legal process, to protect rights and property, or to protect the safety of users or the public.

4.4 No Sale of Personal Information

We do not sell users’ personal information to third parties.

5. Data Retention

We retain personal data for as long as necessary to provide the App's services, to comply with legal obligations, to resolve disputes, and to enforce agreements. Specific retention periods for KYC documents, chat logs, and notification tokens are determined by server-side policies. Please contact us if you need specific retention information for your account.

6. Security

We implement reasonable administrative, technical and physical safeguards to protect personal information. Measures include encrypted transmission (HTTPS/TLS), secure storage of secrets on-device using platform-provided secure storage, and restricted access controls on backend services.

7. Local Storage and Permissions

The App uses local storage on your device for usability and secure storage of secrets:

• SharedPreferences: to cache profile identifiers, onboarding flags, fcm_token, and non-sensitive preferences.
• flutter_secure_storage (or platform keystore): to store PIN hash, device UUID, biometric toggles.

Permissions requested by the App include:

• Camera: to take photos for KYC and to pick images.
• Microphone / RECORD_AUDIO: to record voice messages.
• Storage / WRITE_EXTERNAL_STORAGE: to save temporary media files for upload (Android).
• Notifications / POST_NOTIFICATIONS: to show push notifications.
• Biometric permissions: to enable biometric unlock flows.

On iOS, the App requires appropriate Info.plist usage descriptions (e.g., NSCameraUsageDescription, NSMicrophoneUsageDescription, NSPhotoLibraryUsageDescription). On Android the necessary permissions are declared in AndroidManifest.xml.

8. Third-Party SDKs and Providers

The App integrates third-party SDKs which may collect and process information under their own privacy policies. Notable integrations in the app code:

• Firebase (Google): Realtime Database, Cloud Messaging. Firebase may process data under Google’s privacy policies.
• Facebook App Events: analytics events for app usage metrics.
• Google ML Kit / Liveness or face-detection plugins: local or hybrid face detection and liveness checks. Some plugins may process data locally on device, but the App also uploads images to the server for verification.

9. Children’s Privacy

The App is not intended for children under the age of 13 (or higher age as required by local law). We do not knowingly collect personal data from children. If you believe a child under the applicable age has provided personal data, please contact us to request deletion.

10. Your Rights and Choices

Depending on your jurisdiction, you may have rights to:

• Access the personal information we hold about you.
• Correct or update inaccurate or incomplete information.
• Request deletion of your personal information (subject to legal/operational limits).
• Restrict or object to certain processing (e.g. direct marketing, analytics).
• Obtain a copy of your personal data in a portable format.

To exercise your rights, contact us at the address below. We may need to verify your identity before processing requests.

11. How to Contact Us

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our data practices, products, or legal requirements. We will notify users of significant changes via the App or other reasonable means. The “Effective date” at the top indicates when this version became effective.

13. Play Store Compliance Notes

This policy has been written to include the following information required by many app stores:

• Types of personal and sensitive data collected (profile, KYC documents, photos, voice recordings, device identifiers, tokens).
• Third-party services used (Firebase, Facebook analytics, ML Kit plugins).
• Purposes for data collection (account, KYC, chat, notifications, security, analytics).
• Retention, user rights, and contact details for privacy requests.

14. Additional Developer Recommendations

• Add explicit in-app consent screens before collecting or uploading KYC images and before enabling biometric login.
• On iOS include the required usage strings in `ios/Runner/Info.plist` for camera and microphone access.
• Ensure backend storage (the URL configured in the app) enforces encryption at rest and strict access control for uploaded KYC and chat media.
• Consider publishing a Data Deletion Request form or API endpoint to automate user deletion requests.