VASHIX
Request Early Access
VASHIX

Photo and video verification designed for Indian enterprise.

Early AccessSecure Cloud
C2PA 2.1·Encrypted·Data Protection

Product

  • Solutions
  • How It Works
  • Trust Score
  • Book a Demo
  • ROI Calculator
  • Changelog
  • Status PageOnline

Developers

  • Documentation
  • API Reference
  • Android SDK Guide
  • C2PA 2.1 Specification

Company

  • About
  • Blog
  • DPDP Compliance
  • Contact
  • hello@vashix.com
  • Careers

Vashix is in early access. Core verification is live. Compliance certifications are in progress.

© 2026 Vashix · All rights reserved

Privacy PolicyTerms of ServiceRefund & CancellationData Processing AgreementSecurityAccount Deletion

Made in India 🇮🇳

Legal

Privacy Policy

This Privacy Policy explains how Vashix ("Vashix", "we", "us") collects, uses, stores, and protects personal data when you use our photo verification platform, APIs, SDKs, dashboard, and related services.

References DPDP Rules 2025Encrypted at Rest & In Transit
Effective date: March 12, 2026Last updated: March 12, 2026

Contents

1. Overview2. Information We Collect3. How We Use Your Information4. Legal Basis for Processing5. Data Storage & Residency6. Data Sharing & Disclosure7. Payment Data & Financial Information8. Security Measures9. Cookies & Similar Technologies10. Your Rights Under the DPDP Act 202311. Children's Data12. Third-Party Links & Integrations13. Changes to This Policy14. Contact Us

1. Overview

1.1 Who We Are

•Vashix ("Vashix", "we", "us", "our") is a photo verification platform operated from Mumbai, Maharashtra, India. Vashix is a product brand — the operating entity details are provided in the Contact section below
•We operate a photo verification platform that provides hardware-backed cryptographic provenance, trust scoring, and compliance tooling for enterprises — primarily in the insurance, banking, NBFC, and government sectors
•Under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025, Vashix acts as a Data Processor. Your organisation (the entity contracting with Vashix) acts as the Data Fiduciary

1.2 Scope of This Policy

•This Privacy Policy applies to all users of the Vashix platform, including: the marketing website (vashix.com), the dashboard (dashboard.vashix.com), the REST API, the Android SDK, and all related services
•This policy covers personal data of: account holders (enterprise admins, team members), end-users whose data is captured via the SDK (claimants, adjusters, field agents), and website visitors
•By accessing or using any Vashix service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy
•If you do not agree with this policy, please do not use our services. You may request deletion of any existing data by contacting our Data Protection Officer

2. Information We Collect

2.1 Data Collected Through Our Verification SDK

•Photographs captured through the Vashix SDK during the verification workflow
•GPS coordinates (latitude and longitude) at the time of photo capture
•Device identifiers: hardware model, OS version, Android hardware attestation key ID
•Motion sensor data collected during the capture session for liveness verification
•Timestamps generated on-device and verified against server time
•Network metadata: connection type, approximate signal strength
•C2PA content credentials embedded in the photo manifest
•Consent records: timestamp of consent, version of consent notice shown, categories of data consented to

2.2 Data Collected Through Our Dashboard & Website

•Account registration details: full name, business email address, organisation name, designation, GST number (optional)
•Authentication credentials (passwords are hashed using bcrypt with salt — never stored in plaintext)
•API usage logs: endpoints called, timestamps, response codes, IP addresses
•Billing information: plan selected, billing cycle, invoice history. Payment card details are processed exclusively by our payment gateway (Razorpay) and are never stored on Vashix servers
•UPI IDs and netbanking details are processed by Razorpay and never touch Vashix infrastructure
•Support and communication records: emails, support tickets, feature requests

2.3 Data Collected Automatically

•Server access logs: IP address, browser user-agent string, referring URL, pages visited
•Cookie identifiers for session management (see Section 9 below)
•Aggregated, anonymised analytics data (page views, feature usage) via privacy-respecting analytics — no cross-site tracking
•Device type, screen resolution, operating system, and browser version for optimising the dashboard experience

2.4 Data We Do NOT Collect

•We do not collect Aadhaar numbers, PAN numbers, or other government-issued ID numbers unless explicitly submitted by you
•We do not collect biometric data as defined under the Aadhaar Act — motion sensor data is motion telemetry, not biometric identification
•We do not collect financial information such as bank account numbers, credit card numbers, or UPI PINs — all payment processing is handled by our PCI-DSS compliant payment gateway
•We do not read, access, or store the contents of your device's photo gallery, contacts, messages, or any other app data

3. How We Use Your Information

3.1 Primary Purposes (Contractual Necessity)

•To provide photo verification services as contracted by your organisation (the Data Fiduciary)
•To generate trust scores based on device attestation, GPS, motion, timestamp, and provenance signals
•To create tamper-evident audit logs for each capture session
•To embed C2PA content credentials for downstream provenance verification by any compliant tool
•To deliver breach notification reports, compliance exports, and data residency certificates
•To process subscription payments, generate invoices, and manage your billing account

3.2 Operational Purposes (Legitimate Interest)

•To maintain, monitor, and improve our infrastructure, security posture, and service reliability
•To detect and prevent fraud, abuse, and unauthorised access to the platform
•To generate anonymised, aggregated analytics for product improvement — no individual can be identified from this data
•To communicate service updates, security advisories, scheduled maintenance, and contractual notices
•To respond to your support requests and provide technical assistance
•To comply with legal obligations under applicable Indian law, including tax filings and regulatory reporting

3.3 What We Do NOT Do With Your Data

•We do not sell, rent, or trade personal data to any third party — ever
•We do not use captured photo data or SDK data for AI/ML model training unless explicitly authorised in a separate written agreement
•We do not serve advertisements or share data with advertising networks
•We do not profile Data Principals (claimants, adjusters) for purposes beyond the contracted verification service
•We do not share your data with any entity for marketing purposes
•We do not use your data to build competitive intelligence or share it with your competitors

4. Legal Basis for Processing

4.1 Under the DPDP Act 2023 & Rules 2025

•Consent (Section 6, Rule 3): The Vashix SDK displays a clear, itemised consent notice in plain language before any data collection begins. Consent is granular — users are informed of each category of data collected and its purpose
•Contractual necessity: Processing is necessary for the performance of the service agreement between Vashix and your organisation
•Legal obligation: Certain processing is required to comply with Indian tax law, the IT Act 2000, and DPDP Rules 2025 (e.g., security log retention under Rule 6(1)(e))
•Legitimate interest: Limited processing for fraud detection, security monitoring, and service improvement where it does not override the rights of the Data Principal

4.2 Consent Management

•Consent can be withdrawn at any time by the Data Principal through their organisation (the Data Fiduciary)
•Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal
•If consent is withdrawn, Vashix will cease processing and delete the associated personal data, subject to legal retention requirements
•The SDK records consent_given, consent_timestamp, consent_version, and data_categories_consented in the capture manifest for audit purposes

5. Data Storage & Residency

5.1 Data Storage

•Your data is stored on secure cloud infrastructure with encryption at rest and in transit
•We are working towards India-only data residency and will update this policy when migration is complete
•We do not transfer personal data outside of our contracted infrastructure providers
•We do not share infrastructure access with any third party beyond our sub-processors listed in Section 6

5.2 Retention Periods

•Photo data and associated metadata: retained per your subscription plan configuration — 7 days (Free), 30 days (Pro), 365 days (Enterprise), or custom
•Automatic deletion of photo data and personal metadata upon retention period expiry or account deletion
•Security audit logs: retained per your plan's audit retention period — these logs do not contain photo content or personally identifiable metadata
•Account and billing records: retained as required by applicable Indian tax law
•Website cookies and analytics: session cookies expire on browser close; analytics data retained for 26 months in anonymised form

5.3 Data Deletion

•Upon expiry of the retention period or account deletion request, photo data is permanently and irrecoverably deleted
•Account deletion includes a 90-day cooling-off period during which you can cancel the request
•A cryptographic receipt is generated as proof of deletion (contains no personal data)
•For details, see our Account Deletion Policy

6. Data Sharing & Disclosure

6.1 Sub-Processors

•Cloud infrastructure provider — hosting, compute, and storage
•Cloudflare — content delivery and object storage
•Razorpay Software Private Limited — payment processing (Vashix does not access or store card data)
•Resend — transactional email delivery (email addresses only; no photo data or verification data)
•No other sub-processors have access to personal data
•We maintain an up-to-date sub-processor list. Enterprise customers are notified 30 days before any new sub-processor is added, with the right to object

6.2 Legal Disclosure

•We may disclose data when required by a valid order from an Indian court or the Data Protection Board of India
•We may disclose data to law enforcement when required under the Code of Criminal Procedure, 1973 or the IT Act, 2000
•We will notify your organisation before disclosure unless legally prohibited from doing so (e.g., under a gag order)
•We do not voluntarily disclose data to any government, foreign authority, or private entity
•We have never received a national security order or surveillance request. If we do, we will challenge it to the extent permitted by law and notify you when legally permissible

6.3 Business Transfers

•In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity
•We will provide at least 30 days' notice before any such transfer and give you the option to delete your data before the transfer occurs
•The successor entity will be bound by the terms of this Privacy Policy until a new policy is communicated to you

7. Payment Data & Financial Information

7.1 How Payment Data Is Handled

•Vashix uses Razorpay as its payment gateway. Razorpay is PCI-DSS Level 1 compliant — the highest level of payment security certification
•When you make a payment, your card number, CVV, expiry date, UPI ID, or netbanking credentials are entered directly into the payment gateway's secure iframe/SDK. This data never touches Vashix servers
•Vashix stores only: transaction ID, payment status (success/failed/pending), amount, currency, invoice number, and the last 4 digits of your card (for display purposes only)
•We do not store full card numbers, CVVs, UPI PINs, or netbanking passwords — at any point, in any system
•Payment disputes and chargebacks are handled through the respective payment gateway's dispute resolution process

7.2 Billing Records

•Invoices are generated automatically and stored for 8 years per Indian tax law (GST Act, 2017; Income Tax Act, 1961)
•You can download all invoices from the dashboard at any time during your subscription or within 30 days of account closure
•Billing data includes: organisation name, billing address, GST number (if provided), plan details, amounts, and tax breakdowns

8. Security Measures

8.1 Technical Safeguards

•Encryption for all data at rest and in transit
•Secure hardware signing on supported devices — private keys generated in device hardware and never exported
•Role-based access control with principle of least privilege
•API key scoping: per-environment and per-permission granularity
•Rate limiting configurable per plan tier
•Full audit logging of every API call, dashboard action, and data access event
•Replay protection for all verification requests

8.2 Organisational Safeguards

•Background verification for personnel with access to production systems
•Incident response procedures in place
•All production access is logged

8.3 Breach Notification (DPDP Rules 2025, Rule 7)

•In the event of a data breach affecting your data, Vashix will notify your organisation within the timeline specified in the DPA (and in any case within 72 hours of becoming aware of the breach)
•We will provide a pre-filled incident report template for your submission to the Data Protection Board of India
•The dashboard will display a countdown timer to the 72-hour notification deadline with a downloadable report

9. Cookies & Similar Technologies

9.1 Cookies We Use

•Strictly necessary cookies: session management, authentication state, CSRF protection. These cannot be disabled without breaking the dashboard
•Functional cookies: dashboard preferences (theme, timezone, language). These improve your experience but are optional
•We do not currently use analytics cookies. If we add analytics in the future, we will use privacy-respecting tools with no cross-site tracking
•We do NOT use: advertising cookies, remarketing pixels, social media tracking pixels, or any third-party analytics that track users across sites

9.2 Managing Cookies

•You can disable non-essential cookies through your browser settings at any time
•Disabling strictly necessary cookies may prevent the dashboard from functioning correctly
•Our SDK does not use cookies — it operates via API authentication tokens only
•Our marketing website uses only strictly necessary cookies and anonymised analytics

10. Your Rights Under the DPDP Act 2023

10.1 Rights of Data Principals

•Right to access (Section 11): Request a summary of all personal data processed by Vashix on your behalf, including the categories of data, purposes of processing, and any third parties with whom data has been shared
•Right to correction (Section 11): Request correction of inaccurate, incomplete, or misleading personal data
•Right to erasure (Section 12): Request permanent deletion of your personal data via the dashboard or by contacting us. A cryptographic receipt is generated as proof of deletion
•Right to grievance redressal (Section 13): File a complaint with our Data Protection Officer if you believe your data has been processed in violation of the DPDP Act
•Right to nominate (Section 14): Nominate another person to exercise your rights in case of death or incapacity

10.2 How to Exercise Your Rights

•Data Fiduciaries (your organisation): Use the dashboard's Compliance section or the API to process Data Principal requests directly
•Data Principals (claimants, adjusters, field agents): Contact your organisation first, as they are the Data Fiduciary responsible for your data
•If your organisation is unresponsive within 30 days, you may contact our Data Protection Officer directly at dpo@vashix.com or hello@vashix.com
•We acknowledge all valid requests within 72 hours and fulfil them within 30 days
•There is no fee for exercising your rights under the DPDP Act
•Erasure requests generate a cryptographic receipt as proof of deletion

10.3 Limitations on Erasure

•Security audit logs (not containing photo content) are retained for 1 year per DPDP Rules 2025, Rule 6(1)(e) — even after erasure of personal data. This is disclosed in the consent notice
•Billing records are retained for 8 years per Indian tax law — these contain only organisation-level data, not individual captures
•Data that has been anonymised and aggregated cannot be traced back to an individual and is therefore outside the scope of erasure rights

11. Children's Data

11.1 Policy on Minors

•Vashix services are designed for enterprise use by organisations (B2B). We do not knowingly offer services directly to individuals under 18 years of age
•If the SDK is used to capture data involving a minor (e.g., a minor claimant), the Data Fiduciary (your organisation) is responsible for obtaining verifiable consent from the minor's parent or legal guardian, as required by Section 9 of the DPDP Act 2023
•Vashix provides SDK configuration options to enforce parental consent workflows when minors may be involved
•If we become aware that personal data of a child has been processed without proper consent, we will delete it promptly and notify the Data Fiduciary
•Penalties for children's data violations under the DPDP Act can reach INR 200 crore — Data Fiduciaries must ensure compliance

12. Third-Party Links & Integrations

12.1 External Links

•Our website and documentation may contain links to third-party websites (e.g., regulatory bodies, standards organisations, payment gateways). We are not responsible for the privacy practices of these websites
•When you click on a third-party link, you leave our platform and are subject to that third party's privacy policy
•We recommend reviewing the privacy policy of any third-party service before providing personal data to it

12.2 API Integrations

•When you integrate the Vashix SDK or API into your application, data flows between your systems and ours as described in the Data Processing Agreement
•You are responsible for ensuring that your application's privacy notice accurately describes the data processed by Vashix on your behalf
•Webhooks sent to your registered endpoints contain verification data — you are responsible for securing your webhook endpoints

13. Changes to This Policy

13.1 How We Communicate Changes

•We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance
•Material changes (changes to data collection, sharing, retention, or your rights) will be communicated via email to your registered account address at least 30 days before they take effect
•Non-material changes (typographical corrections, formatting) may be made without advance notice
•The "Last Updated" date at the top of this page reflects when the most recent changes were made
•Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy
•If you do not agree with the changes, you may terminate your account and request deletion of your data before the changes take effect

14. Contact Us

Data Protection Officer

•Vashix — Photo Verification Platform
•Mumbai, Maharashtra, India
•Email: hello@vashix.com
•Response time: acknowledgement within 72 hours, resolution within 30 days

Grievance Redressal

•If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India
•Data Protection Board of India: https://www.meity.gov.in/data-protection-framework
•You may also approach the appropriate consumer forum or court of competent jurisdiction in Mumbai, Maharashtra

Regulatory References

•DPDP Act 2023: https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
•DPDP Rules 2025: https://egazette.gov.in/WriteReadData/2025/251163.pdf
•IT Act 2000: https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf

This policy is governed by Indian law. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India. This policy should be read together with our Terms of Service, Data Processing Agreement, and Refund & Cancellation Policy.

Related Documents

Terms of ServiceRefund & Cancellation PolicyData Processing AgreementDPDP ComplianceSecurity