Privacy Policy

Effective Date: April 7, 2026
Last Updated: April 2026
Applicable To: TAAU Mobile Application (Android & iOS)

Privacy Notice

This Privacy Policy ("Policy") describes how Codesunicorn ("we", "us", "our"), located in Haryana, India, collects, processes, stores, and protects your personal data when you use the TAAU mobile application (the "App"), available at taau.app.

This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (SPDI) Rules, 2011, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Consumer Protection (E-Commerce) Rules, 2020.

1. Data Controller

Name	Codesunicorn
Address	Haryana, India
App	TAAU — Local Services & Transportation Companion
Website	taau.app
Privacy Contact	privacy@codesunicorn.com

2. Data We Collect

2.1 Account & Identity Data

When you create an account, we collect:

Email address — collected via Google Sign-In or Email/Password registration through Firebase Authentication
Display name and profile photo — from your Google account or manually provided
Firebase Authentication UID — a unique identifier assigned by our authentication provider
Phone number — 10-digit Indian mobile number, verified via WhatsApp OTP (see Section 2.8)
User roles — assigned roles such as Normal, Business, Maintainer, or Admin that determine feature access

2.2 Location Data

With your explicit permission, we collect:

GPS coordinates — obtained via the device's Geolocator service using high-accuracy mode
City, state, and district — derived through reverse geocoding of your GPS coordinates

India-only validation: Location data is validated to ensure it falls within India. Location permission is requested at the point of use (not at installation) and can be revoked at any time through your device settings.

2.3 Device & Technical Data

We automatically collect certain device information:

Firebase Cloud Messaging (FCM) registration token for push notifications
App version, device model, operating system version, and device locale
Crash reports and performance metrics via Firebase Crashlytics and Firebase Analytics
Firebase App Check token for device attestation (Play Integrity on Android, App Attest on iOS)

2.4 Delivery Address Data

You may optionally save delivery addresses containing:

Recipient name, phone number, full address, landmark, and delivery instructions

Local-only storage: Delivery addresses are stored exclusively on your device using encrypted shared preferences (AES-256 encryption via flutter_secure_storage). This data is never uploaded to our servers or any cloud service. It remains on your device and is removed when you uninstall the App.

2.5 Usage & Activity Data

We collect limited usage data to improve the App:

Feature usage tracking and interaction patterns
Search history — capped at a maximum of 20 entries, stored locally on your device
Session count and last active timestamp
Token transaction history — stored locally, capped at 100 entries

2.6 Social & User-Generated Content

When you create or interact with social content, we store:

Posts: title, description, images, videos, PDFs, tags, and associated location
Interactions: comments, likes, and shares — linked to your user ID

2.7 Business & Service Provider Data

If you register as a business or service provider, we collect:

Shop or service details: name, address, city, state, phone number, images, description, category, and geographic coordinates
Subscription information and status
Order and booking records associated with your business

2.8 Verification & OTP Data

For phone number verification via WhatsApp OTP:

Phone number submitted for verification
OTP hashed using SHA-256 with a random secret — the plaintext OTP is never stored
OTP expires after 5 minutes and is automatically deleted
WhatsApp verification timestamp and status

2.9 Content Reports

If you report content within the App, we collect:

Your user ID, name, and email address (as reporter)
Content ID being reported
Report category and description

2.10 Data We Do NOT Collect

We want to be explicit about what we do not collect:

Credit card or banking details — We do not use any payment SDK. All subscriptions are handled via cash or UPI on delivery.
Data broker sales — We do not sell your personal data to data brokers or third-party marketers.
Background location — Location is collected only while you are actively using the relevant feature.

3. How We Use Your Data

3.1 Purposes of Processing

We process your personal data for the following purposes:

Purpose	Data Categories	Legal Basis
Account creation and authentication	Email, name, phone, Firebase UID, roles	Consent (DPDP Act)
Providing location-based services and transportation information	GPS coordinates, city/state/district	Consent
Sending push notifications	FCM token, notification preferences	Consent
Enabling social features (posts, comments, likes)	User-generated content, profile data	Consent
Business listings and service provider functionality	Business details, orders, subscriptions	Consent / Contractual necessity
App stability, crash reporting, and performance monitoring	Device data, crash logs, analytics	Legitimate interest
Fraud prevention and security enforcement	App Check token, device data, usage patterns	Legitimate interest / Legal obligation
Content moderation and handling reports	Report data, user ID, content data	Legal obligation (IT Rules 2021)
Phone number verification	Phone number, hashed OTP	Consent
Serving advertisements	Device advertising ID, device info	Consent (via device settings)

3.2 AI-Assisted Content Moderation

To comply with our obligations under the IT (Intermediary Guidelines) Rules, 2021 and to maintain a safe platform, we use artificial intelligence (AI) services to assist with content moderation. This means:

Content you submit (such as post titles, descriptions, shop names, service listings, and job posts) may be shared with third-party AI service providers for the purpose of checking compliance with our content rules and applicable law.
AI providers we may use include, but are not limited to, Anthropic, OpenAI, Perplexity, etc., subject to their respective terms of service and privacy policies.
Before sharing, we redact personally identifiable information (email addresses, phone numbers, URLs, and long numeric IDs) from content sent to AI services.
Only text content is sent for AI moderation. Images, videos, and other media are not shared with AI services.
Content is truncated to a maximum of 2,000 characters before being sent for moderation.
AI moderation results are recommendations only — final decisions on content approval or rejection are made by human administrators.

AI data usage: Our AI service providers have confirmed that content submitted via their API is not used to train or improve their AI models. However, their use of data is subject to their own terms of service and privacy policies, which we encourage you to review. We are not responsible for the data practices of these third-party AI providers beyond our contractual obligations.

3.3 Automated Decision-Making

We do not use your personal data for automated decision-making that produces legal or similarly significant effects. Role assignments (Admin, Maintainer, Business, Normal) are made manually by authorized personnel. AI-assisted content moderation provides recommendations only — all final moderation decisions are made by human administrators.

4. Third-Party Services

We use the following third-party services to operate the App. Each service processes data according to its own privacy policy:

Service Provider	Purpose	Data Shared
Firebase (Google Cloud) Authentication, Cloud Firestore, Cloud Messaging, Analytics, Crashlytics, App Check, Cloud Functions	Authentication, database, push notifications, analytics, crash reporting, device attestation, server-side processing	Email, UID, device data, usage data, crash logs, FCM token. All services hosted in asia-south1 (Mumbai, India).
Google Mobile Ads (AdMob)	Advertising	Device advertising ID, device model, OS version, app version. AdMob Privacy Policy
Google Maps Platform	Map display and geocoding	GPS coordinates for map rendering and reverse geocoding. Google Maps Privacy
Cloudinary	Image and video storage for user-generated content	Images and videos uploaded via server-signed requests (API secret never exposed on client device). Cloudinary Privacy Policy
AuthKey.io	WhatsApp OTP delivery for phone verification	Phone number and OTP for delivery. OTP is hashed (SHA-256) before storage. AuthKey Privacy Policy
Open Food Facts	Product barcode lookup	Barcode numbers only (no personal data). Open Food Facts Privacy
AI Content Moderation Services Including but not limited to Anthropic, OpenAI, Perplexity, etc.	AI-assisted content moderation for user-generated content	Text content only (post titles, descriptions, shop names, listings). PII (emails, phone numbers, URLs) is redacted before sharing. Images and videos are never shared. Content truncated to max 2,000 characters. API data is not used for AI model training per provider policies. Anthropic Policies • OpenAI Privacy Policy • Perplexity Privacy Policy

Data localization note: Our primary Firebase project is hosted in the asia-south1 (Mumbai) region. However, Google may process or replicate data across its global infrastructure for reliability and performance. See Section 10 for cross-border transfer details.

5. Data Security

5.1 Technical Security Measures

We implement the following security measures to protect your personal data:

Firebase Authentication with role-based access control (RBAC) — user roles stored in a roles array with Admin, Maintainer, Business, and Normal tiers
Firebase App Check — device attestation via Play Integrity (Android) and App Attest (iOS) to prevent unauthorized client access
OTP security — OTPs are hashed using SHA-256 with a random secret; plaintext OTPs are never stored on our servers
Encrypted local storage — delivery addresses and sensitive local data are encrypted with AES-256 via flutter_secure_storage
Server-signed media uploads — Cloudinary uploads are signed server-side; the API secret is never present on client devices
Network security — cleartext (HTTP) traffic is disabled; a custom network security configuration enforces HTTPS-only communication
Firestore security rules — a comprehensive ruleset governing read/write access at the document and collection level, including role-based validation
Rate limiting — enforced on authentication, OTP generation, and other sensitive operations to prevent abuse

5.2 Organizational Security Measures

Access to production systems and databases is restricted to authorized personnel on a need-to-know basis
Service account credentials are stored as environment variables and are never included in source code
Regular review of Firestore security rules and access patterns

Limitation: While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data during transmission or storage.

6. Data Retention

Data Category	Retention Period	Basis
Account data (email, name, phone, roles)	Until account deletion request	Service necessity
OTP data	5 minutes (auto-deleted)	Security best practice
Search history	Maximum 20 entries (local, rolling)	Feature functionality
Token transaction history	Maximum 100 entries (local, rolling)	Feature functionality
Delivery addresses	Until app uninstall (local only, never uploaded)	User convenience
User-generated content (posts, comments)	Until account deletion or user-initiated removal	Service necessity
Business listings	Until account deletion or business deregistration	Service necessity
Content reports	Until resolution + applicable legal retention period	Legal obligation (IT Rules 2021)
Firebase Crashlytics data	Approximately 90 days	Google's retention policy
Firebase Analytics data	2 to 14 months (configurable)	Google's retention policy

7. Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, you are a "Data Principal" with the following rights regarding your personal data:

7.1 Right to Access

You have the right to obtain a summary of the personal data we process about you and the processing activities we carry out. You can view most of your data directly within the App's profile and account settings.

7.2 Right to Correction and Completion

You have the right to correct inaccurate or incomplete personal data. You can update your profile information, display name, phone number, and business details directly within the App.

7.3 Right to Erasure (Deletion)

You have the right to request the deletion of your personal data. See Section 8 for details on our account deletion process.

7.4 Right to Nominate Another Person

Under the DPDP Act, you have the right to nominate another person to exercise your data principal rights in the event of your death or incapacity. To make such a nomination, contact us at privacy@codesunicorn.com.

7.5 Right to Grievance Redressal

You have the right to register a grievance regarding the processing of your personal data. See Section 13 for the Grievance Officer's contact details.

7.6 Right to Withdraw Consent

You have the right to withdraw your consent at any time. Withdrawing consent is as easy as giving it. You may:

Revoke location permission through your device settings
Disable push notifications through your device settings or within the App
Reset your device advertising ID through your device settings
Request account deletion (Section 8) to withdraw consent for all data processing

Note: Withdrawing consent for certain data (such as account data) may affect your ability to use the App's services. We will inform you of any such consequences before you withdraw consent.

8. Account Deletion

8.1 How to Delete Your Account

You can request account deletion through the App's settings screen. Upon confirmation:

Your data is comprehensively deleted from over 90 Firestore collections, including profile data, posts, comments, business listings, orders, bookings, and associated records
You are unsubscribed from all FCM notification topics
Your Firebase Authentication account is permanently deleted

8.2 Limitations of Deletion

The following data may persist after account deletion due to third-party retention policies:

Cloudinary media — Images and videos you uploaded may persist in Cloudinary's storage and are subject to Cloudinary's retention policy
Firebase Analytics and Crashlytics logs — Subject to Google's retention policies (see Section 6)
Local device data — Search history, delivery addresses, and cached data stored on your device must be cleared by uninstalling the App

8.3 Data That May Be Retained

We may retain certain data as required by applicable law, for legal proceedings, to enforce our agreements, or to prevent fraud. Such data will be retained only for as long as necessary and in accordance with applicable law.

9. Cookies and Tracking

9.1 Mobile App Tracking

As a mobile application, TAAU does not use traditional browser cookies. However, the following tracking technologies are in use:

Firebase Analytics: Collects device information, session data, screen views, and in-app events to help us understand how the App is used and improve its features
Google AdMob: Uses your device's advertising ID to serve relevant advertisements. You can reset your advertising ID or limit ad tracking through your device settings:

9.2 Managing Ad Tracking

Android: Settings > Google > Ads > Reset advertising ID or Opt out of Ads Personalization
iOS: Settings > Privacy & Security > Apple Advertising > Personalized Ads (toggle off)

10. Cross-Border Data Transfers

Your personal data is primarily processed and stored on Firebase (Google Cloud) infrastructure hosted in the asia-south1 (Mumbai, India) region. However:

Google may transfer or replicate data across its global infrastructure for reliability, disaster recovery, and performance optimization
Cloudinary (image/video storage) may process data in regions outside India
AuthKey.io (OTP delivery) may process data outside India

Compliance with DPDP Act: All cross-border transfers comply with the DPDP Act, 2023. We follow the negative list approach prescribed under the Act — personal data is not transferred to any country or territory that the Indian Government has blacklisted or restricted. We ensure that recipients of your data provide an adequate level of data protection.

11. Children's Privacy

Age restriction: 18+ only. The TAAU App is not intended for and is not targeted at individuals under the age of 18 years.

An age verification checkbox is required during registration, confirming that the user is at least 18 years of age
We do not knowingly collect personal data from children under 18
If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such data
If you believe a child under 18 has provided us with personal data, please contact us at privacy@codesunicorn.com

12. Consent

12.1 How Consent Is Obtained

We obtain your consent through the following mechanisms:

Registration consent: At account creation, you must acknowledge a checkbox confirming that you are 18 years or older and that you accept our Terms and Conditions and this Privacy Policy
Runtime permissions: Separate, explicit permissions are requested at the point of use for:
- Location (GPS) — requested when you first use a location-dependent feature
- Camera and media access — requested when you attempt to upload images or videos
- Notifications — requested when the App first needs to send you push notifications

12.2 Granular Consent

Each permission is requested independently and can be granted or denied separately. You are never required to grant all permissions to use the App — core features remain accessible even if certain permissions (such as location or notifications) are denied.

13. Grievance Officer

In compliance with the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address concerns regarding data processing and content on the App:

Name	Diksha Vij
Email	codesunicorn@gmail.com
Acknowledgment	Within 24 hours of receipt of complaint
Resolution	Within 15 calendar days from the date of receipt of complaint

To file a grievance, you may also contact us through the App or by writing to the address provided in Section 1.

14. Intermediary Obligations

TAAU functions as an intermediary under the Information Technology Act, 2000, by enabling users to post content, list businesses, and interact with each other. In compliance with the IT (Intermediary Guidelines) Rules, 2021:

We publish this Privacy Policy and our Terms and Conditions on our website at taau.app
We have appointed a Grievance Officer (Section 13) with published contact details
We respond to content removal requests within the timelines prescribed by law
We do not initiate the transmission of user-generated content, select the recipients of transmissions, or modify the content of user submissions
Users retain ownership of their content. We act as a platform for its display and distribution

15. E-Commerce Disclosures

In compliance with the Consumer Protection (E-Commerce) Rules, 2020, we disclose:

Identity: Codesunicorn, Haryana, India
Contact: privacy@codesunicorn.com
Payment methods: We do not collect payments online. All subscriptions and purchases are fulfilled via cash or UPI on delivery — no payment SDK or online payment gateway is used
Grievance mechanism: As described in Section 13

16. Sensitive Personal Data

In compliance with the IT (SPDI) Rules, 2011, we handle sensitive personal data as follows:

Passwords: Managed by Firebase Authentication; we do not store plaintext passwords
Financial information: We do not collect credit card numbers, bank account details, or other financial information
Biometric data: We do not collect biometric data
Health data: We do not collect health-related data
Location data: Treated as sensitive personal data under IT (SPDI) Rules; collected only with explicit consent (see Section 2.2)

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do:

We will update the "Last Updated" date at the top of this Policy
For material changes, we will notify you through a prominent notice within the App or via email
Continued use of the App after the effective date of any changes constitutes your acceptance of the revised Policy
We encourage you to review this Policy periodically to stay informed about how we protect your data

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through any of the following channels:

Privacy Email	privacy@codesunicorn.com
Grievance Officer	grievance@codesunicorn.com
Postal Address	Codesunicorn, Haryana, India
Website	taau.app

Summary of Your Key Rights

Access your personal data at any time through the App
Correct inaccurate or incomplete data
Delete your account and associated data (Section 8)
Withdraw consent as easily as you gave it (Section 7.6)
Nominate another person to exercise your rights (Section 7.4)
File a grievance with our Grievance Officer (Section 13)
Control ad tracking through your device settings (Section 9.2)

We are committed to protecting your privacy and being transparent about how we handle your information.