1 · Information We Collect
What we collect
We collect only what is necessary to operate Crossyl safely and effectively. This includes:
- Account information: Name, date of birth, phone number, and profile photos you choose to share.
- Verification data: Government-issued ID submitted for KYC. This is encrypted with AES-256 and processed by our licensed verification partner. Your ID number and document are never visible to other users or Crossyl staff.
- Plan and activity data: Plans you create, matches you interact with, messages you send within the app.
- Location data: Your approximate city/area for plan matching. Precise GPS is used only for SOS mode and only with your explicit consent at the time.
- Device and technical data: Device type, operating system version, app version — used solely for technical support and security.
2 · How We Use Your Information
Purpose of processing
Your data is used solely to operate and improve Crossyl. Specific purposes include:
- Matching you with other users based on shared plans and location
- Verifying your identity and preventing fake accounts
- Enabling in-app messaging between matched users
- Operating the SOS safety feature
- Enforcing our Terms of Service and Community Guidelines
- Complying with applicable legal obligations
- Improving app performance and fixing bugs
We do not use your data to build advertising profiles. We do not show you ads. Our revenue comes from subscriptions only.
3 · Sharing Your Information
We do not sell your data — ever
Crossyl does not sell, rent, trade, or license your personal data to any third party. Data is shared only in these strictly limited circumstances:
- With your explicit consent — for example, when you share your live location with an emergency contact via SOS.
- With service providers who process data on our behalf under strict Data Processing Agreements: our KYC verification partner, cloud hosting provider (servers in India), and in-app messaging infrastructure. These providers may not use your data for any purpose other than the service we specify.
- With law enforcement when required by a valid court order, warrant, or applicable Indian law. We will notify affected users where legally permitted to do so.
- In a merger or acquisition — if Crossyl is acquired, data will be transferred only to an acquirer who agrees to be bound by this Privacy Policy, and you will be notified in advance.
4 · Data Storage & Security
Where your data lives and how we protect it
All data is stored on servers located within India, in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA). We implement the following security measures:
- AES-256 encryption for all data at rest
- TLS 1.3 for all data in transit
- Zero-knowledge architecture for ID verification data
- Regular third-party security audits and penetration testing
- Role-based access controls — staff access your data only when required for support, and all access is logged
No system is 100% secure. If we ever experience a data breach that affects your personal data, we will notify you within 72 hours of discovery, as required by the DPDPA.
5 · Data Retention
How long we keep your data
We keep your data only as long as necessary:
- Account data is retained while your account is active. Upon deletion, personal data is permanently erased within 30 days.
- KYC verification records are retained for a minimum of 5 years from account closure as required by applicable financial and identity regulations.
- Safety and moderation records (including reports and bans) are retained for 7 years to prevent re-registration by banned users.
- Message content is deleted 30 days after a match expires or either user deletes the conversation.
6 · Your Rights Under the DPDPA
You are in control
Under the Digital Personal Data Protection Act, 2023, you have the following rights, all exercisable through app settings or by contacting privacy@crossyl.app:
- Right to access: Request a copy of all personal data we hold about you.
- Right to correction: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data (subject to legal retention obligations).
- Right to withdraw consent: Withdraw consent for any specific processing at any time.
- Right to nominate: Nominate someone to exercise these rights on your behalf in the event of death or incapacity.
- Right to grievance redressal: Lodge a complaint with the Data Protection Board of India if your rights are not upheld.
We respond to all rights requests within 30 days. You will never be discriminated against or penalised for exercising your rights.
7 · Cookies & Tracking
How we use cookies
We use only essential cookies required to operate the app (session management, security tokens). We do not use tracking cookies, advertising pixels, or third-party analytics that profile you across websites. Our app uses anonymous, aggregated analytics to understand feature usage — this data cannot be linked back to you.
8 · Contact & Grievance Officer
Questions about this policy
If you have questions, concerns, or wish to exercise your rights, contact our Data Protection Officer:
- Email: privacy@crossyl.app
- Response time: Within 30 days
- Escalation: Data Protection Board of India — dpboard.gov.in
This policy may be updated from time to time. We will notify you of material changes via the app and email at least 14 days before they take effect.