Privacy Policy. Your data, your rights.

Overview

This Privacy Policy explains how DattaRemit Inc. (“DattaRemit”, “we”, “us”) collects, uses, stores, shares, and protects personal information in connection with our website at dattaremit.com, our mobile applications, and our USD-to-INR money-transfer service (together, the “Service”). It applies to everyone who visits our website, registers an account, initiates a transfer, or is named as a recipient of a transfer. By using the Service you confirm that you have read and understood this Policy.

Who we are and how to contact us

DattaRemit Inc. is the data controller for personal information collected through the Service. You can contact our data-protection team at [email protected] with any privacy question or to exercise any of the rights described below. We will acknowledge your request within a reasonable period and respond substantively within the time frames set by the law that applies to you.

Information we collect

We only collect the information we need to provide the Service, meet our legal obligations, and keep our platform secure. The categories below describe what we collect and why.

• Identity information: full legal name, date of birth, nationality, government-issued identification type and number, and a photograph or selfie used for identity verification. Collected during KYC and when you add a recipient.
• Contact information: email address, phone number, residential address, and, for recipients, a contact number used for transfer notifications.
• Financial information: US bank account linkage metadata (provided via Plaid), recipient Indian bank account number, IFSC code, bank name, branch, and account type. For Indian recipients we also collect Aadhaar and Permanent Account Number (PAN) as required by Indian regulation.
• Transaction information: amount sent, exchange rate applied, fees, amount received, timestamps, reference numbers, partner transaction identifiers, and transfer status.
• Device and usage information: IP address, device type and model, operating system, application version, browser type, language preference, crash and diagnostic data, push-notification tokens, and general patterns of usage.
• Authentication material: hashed passwords (managed by authentication provider), session tokens, and one-time step-up codes. We do not store plaintext passwords or biometric templates; biometric matching happens on your device.
• Communications: messages you send to our support team, and logs of notifications and emails we send to you.

How we use your information

We use your personal information only for the purposes listed below. We do not sell personal information and we do not share it with third parties for their own marketing.

• To verify your identity and perform Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) checks, through our regulated payments partner.
• To operate, process, and settle money transfers between your US bank account and the recipient’s Indian bank account.
• To display accurate exchange-rate and fee information before you confirm a transfer.
• To send you service communications (transfer receipts, KYC notifications, security alerts, and account updates) by email, in-app message, or push notification.
• To prevent, detect, and investigate fraud, abuse, security incidents, and other prohibited activity on our platform.
• To comply with applicable legal, tax, and regulatory obligations, including record-keeping and reporting duties.
• To resolve disputes, enforce our Terms of Service, and establish or defend legal claims.
• To improve the Service through aggregated, non-identifying analysis of how our applications are used.
• With your consent, to send you occasional product updates and marketing communications; you can withdraw consent at any time.

Legal bases (EEA/UK residents)

If you are located in the European Economic Area or the United Kingdom, we process your personal information on the following legal bases:

• Performance of a contract: to deliver the Service you have asked us to provide, including executing transfers and providing account access.
• Compliance with a legal obligation: to meet KYC, AML, sanctions, tax, and record-keeping requirements that apply to us or to our regulated partner.
• Legitimate interests: to secure our platform against fraud and abuse, to investigate suspicious activity, to improve the Service, and to communicate with customers about material changes. Where we rely on legitimate interests we have considered and balanced them against your rights.
• Consent: for marketing communications, optional analytics, and any other processing where consent is the appropriate basis. You can withdraw consent at any time.

How we protect your information

We apply layered technical and organisational controls to protect personal information. The most important are:

• Field-level encryption of highly sensitive personal data (name, date of birth, phone number, email, bank account number, IFSC, etc.) using AES-256-GCM with master keys stored in AWS Key Management Service.
• Blind indexing (HMAC-SHA256) so that exact-match lookups work on encrypted data without the plaintext ever being stored.
• TLS 1.2 or higher on all client–server and service-to-service links, with HSTS preload enabled.
• Strict Content Security Policy, X-Frame-Options DENY, and other hardened security headers on our web properties.
• Strong authentication through Clerk, with email-code step-up on sensitive actions on the web and Face ID / fingerprint gating on mobile.
• Idempotency keys and HMAC-signed webhooks (with a five-minute replay window) to protect financial operations.
• Structured logs with automatic PII redaction, so sensitive fields never appear in log files or error-tracking systems.
• Continuous security review: Semgrep SAST on every change, bun audit on every CI run, and Trivy container scanning before deployment.
• Least-privilege engineering access to production and an internal audit log of every admin action.
• Despite these measures, no system is perfectly secure. You can help protect your account by choosing a strong, unique password, enabling biometric unlock on mobile, and contacting us at [email protected] as soon as you notice anything suspicious.

Data retention

We retain personal information only for as long as we need it to provide the Service, meet our legal and regulatory obligations, and defend legal claims. Typical retention periods are:

• Customer identification records (KYC documents and verification results): at least five (5) years after the end of the customer relationship, as required by US and Indian AML regulation.
• Transaction records: at least five (5) years after the transaction date.
• Account metadata: while your account is open, and for up to five (5) years after closure for audit and dispute purposes.
• Application logs with PII redacted: typically 30 to 90 days, unless a specific incident requires longer retention.
• Marketing preferences: until you withdraw consent.

After the applicable retention period we either delete the information or anonymise it so that it can no longer be linked to you.

Your rights

Depending on where you live, you may have some or all of the following rights. We will not discriminate against you for exercising any of them.

• Access: to know what personal information we hold about you and to receive a copy of it.
• Rectification: to have inaccurate or incomplete information corrected.
• Deletion: to request that we delete personal information, subject to our legal and regulatory retention obligations (for example, AML record-keeping duties).
• Restriction and objection: to ask us to limit certain processing, or to object to processing based on legitimate interests.
• Portability: to receive your information in a structured, machine-readable format and to transmit it to another controller where technically feasible.
• Withdrawal of consent: where we rely on consent (for example, for marketing), you can withdraw it at any time without affecting the lawfulness of prior processing.
• Do-not-sell / share and limit sensitive data: California residents may request that we limit the use of sensitive personal information; because we do not sell or share personal information for cross-context behavioural advertising, these rights are respected by default.
• Lodge a complaint: you have the right to lodge a complaint with your data-protection authority or, in the United States, the relevant state attorney general.

To exercise any of these rights, email [email protected]. We may need to verify your identity before acting on a request.

Children

The Service is for adults only. You must be at least 18 years old to create an account or initiate a transfer. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a minor, we will delete it promptly. If you believe a minor has used the Service, please contact us at [email protected].

Cookies and similar technologies

We use a small number of cookies and similar technologies to keep you logged in, remember your theme preference, and prevent abuse. We do not use cookies for cross-context behavioural advertising. For the full list and instructions on managing cookies, see our Cookie Policy at /cookies.

Automated decision-making

We apply automated rules to help detect fraud, prevent duplicate transfers (idempotency), and screen transactions against sanctions and other restricted-party lists. These automated checks may cause a transfer to be held or declined. Where a decision with a legal or similarly significant effect is made solely by automated means, you have the right to ask for human review. Contact [email protected] to exercise that right.

Third-party websites and services

Our Service may contain links to third-party websites or integrate with third-party services (for example, Plaid for bank linking). This Policy does not apply to those third-party sites or services; please review their own privacy policies before using them.

Changes to this Policy

We review this Policy regularly and will update it to reflect changes in the Service, our partners, or applicable law. When we make a material change we will notify you through the Service or by email and will update the “last updated” date below. Your continued use of the Service after the effective date of a change means you accept the updated Policy.

Contact us

For any question or request about this Privacy Policy, or to exercise any of the rights above, please write to [email protected]. You can also reach our support team at [email protected] and our compliance team at [email protected]. If you would prefer to write by post, contact us for our current registered address.