Privacy Policy

This Policy explains how Inktally processes personal data when you use our website and Service. Because of our zero-knowledge design, the contents of your vault are encrypted on your device and are not readable by us; this Policy concerns the limited personal data we necessarily process to run the Service.

The data controller is Whitescroll Technologies (OPC) Private Limited, India. We have appointed a Data Protection Officer, reachable by clicking here. The DPO acts as our grievance officer under the DPDP Act and as our Article 27 representative under the GDPR for data subjects in the EEA.

We process the following categories:

• Account data — email address, authentication material, plan.
• Encrypted vault blobs — opaque ciphertext we cannot read.
• Recipient & trigger metadata — emails and release conditions you configure.
• Billing data — handled by our payment processors; we store only references.
• Technical data — IP address, user agent, and timestamps for security.
• Support data — the contents of messages you send us.
• Audit records — integrity-protected logs of security-relevant actions.

Most data comes directly from you when you register, configure your vault, or contact us. Technical data is collected automatically when you use the Service. We do not buy personal data from third parties.

We process data only for the purposes below, each with a legal basis under the GDPR and a corresponding ground under India's DPDP Act:

• Provide the Service — performance of our contract with you (GDPR Art. 6(1)(b); DPDP: necessary for the specified purpose you consented to).
• Security & fraud prevention — our legitimate interests (GDPR Art. 6(1)(f); DPDP: legitimate use).
• Billing — performance of contract and compliance with tax law (GDPR Art. 6(1)(b)/(c)).
• Service & security notifications — legitimate interests; security notices are not optional and cannot be unsubscribed.
• Product nudges (e.g. annual review) — consent, which you can withdraw at any time.

We do not sell personal data. We share data only with the sub-processors needed to run the Service, each under a data-processing agreement:

• Amazon Web Services (Mumbai region) — encrypted storage & compute.
• Cloudflare — content delivery, DNS, and DDoS protection.
• Postmark — transactional email delivery.
• Stripe & Razorpay — payment processing.

We may disclose data where required by valid legal process, but our zero-knowledge design means we cannot produce decrypted vault contents.

Your data is primarily stored in India (AWS Mumbai). Where a sub-processor processes data outside your region, we rely on appropriate safeguards — Standard Contractual Clauses for EEA/UK transfers, and equivalent contractual protections elsewhere.

We keep account and vault data for as long as your account is active. On deletion, data is removed within 30 days, except integrity-protected audit logs and records we must retain for legal or tax purposes, which are kept for the period the law requires and then deleted.

Depending on where you live, you have rights over your personal data:

• Under the GDPR — access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
• Under the CCPA/CPRA — know, delete, correct, and opt out of sale or sharing (we do neither), without discrimination for exercising these rights.
• Under the DPDP Act — access, correction, erasure, grievance redressal, and nomination of another individual to exercise your rights.

To exercise any right, write to our DPO by clicking here. We respond within 30 days, extendable where a request is complex.

We use only strictly necessary cookies for authentication and security. We do not use advertising or cross-site tracking cookies, and our emails contain no tracking pixels.

Inktally is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact our DPO and we will delete it.

Vault contents are end-to-end encrypted; keys are derived on your device and never reach us. We additionally apply transport encryption, access controls, integrity-protected audit logs, and routine security review. No system is perfectly secure, but our design minimises what an attacker — or we — could ever access.

We may update this Policy; material changes will be notified by email or in-product with reasonable advance notice. The “Updated” date above always reflects the current version.

For any question or complaint about this Policy or our processing of your data, contact our DPO by clicking here. EEA residents may also complain to their local supervisory authority; Indian residents may approach the Data Protection Board of India.