Verifact · Claims Verification Platform
Privacy Policy
Last updated: 10 May 2026 · Version 1.0 · DPDP 2023 compliant
1. Who we are
Verifact is a forensic photo verification platform for insurance surveyors and insurers in India. We process personal data under the Digital Personal Data Protection Act 2023 (DPDP 2023) and the Information Technology Act 2000.
Data controller: Verifact Technologies Pvt. Ltd. · privacy@verifact.co.in
2. What we collect and why
| Data | Why | DPDP Legal Basis |
|---|
| Name, email, password hash | Account authentication | Contract §7 |
| GPS coordinates (encrypted) | Verify surveyor was at accident site | Consent §6 + Legitimate interest §7 |
| Device model, attestation type | Detect rooted/emulator devices used for fraud | Legitimate interest §7 |
| Photos of damaged property | Evidence for claim adjudication | Contract §7 |
| C2PA manifest assertions | Cryptographic proof of capture integrity | Contract §7 |
| NTP timestamp, network operator | Verify timestamp accuracy | Legitimate interest §7 |
| IRDAI surveyor licence number | Regulatory compliance | Legal obligation §8 |
| Login attempt records | Brute-force attack prevention | Legitimate interest §7 |
| Billing events, invoices | Financial record keeping | Legal obligation §8 |
3. GPS data and location
GPS coordinates are personal data under DPDP 2023. We protect them with two-tier storage:
• Exact coordinates (lat/lon/altitude/accuracy) are encrypted at rest using AES-256-GCM. Only authorised Verifact personnel with the decryption key can access exact coordinates.
• A coarse geographic hash (Geohash precision-5, approximately 5km × 5km) is stored in plaintext for operational purposes such as district matching and fraud detection.
• GPS is collected only when a surveyor captures a photo during an assigned job — never in the background.
• GPS data is retained for 7 years from claim closure per IRDAI requirements.
4. Data retention
| Data type | Retention period | Basis |
|---|
| Photos and GPS logs | 7 years from claim closure | IRDAI regulation |
| Claim data and notes | 7 years from closure | IRDAI regulation |
| Audit logs | 10 years | Legal requirement |
| Session tokens | 8 hours (auto-expired) | Security |
| Login attempt records | 15 minutes (auto-deleted) | Security |
| Billing and invoices | 7 years | Companies Act 2013 |
5. Who we share data with
We do not sell personal data. We share only with:
• The insurer (tenant) for whose claim the survey was conducted — they see survey results and photos as part of the claims process.
• Cloud infrastructure providers under data processing agreements that prohibit use of data for any other purpose.
• Legal and regulatory authorities when required by law.
6. Your rights under DPDP 2023
You have the right to:
• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate data.
• Erasure — request deletion of your personal data. Data required for ongoing legal proceedings or regulatory compliance cannot be deleted immediately.
• Grievance — raise a complaint with our Data Protection Officer.
• Nominate — nominate another person to exercise your rights on your behalf.
To exercise any right: Settings → Request Data Deletion, or email privacy@verifact.co.in.
7. Consent
When you first use the Verifact Android app, a consent screen lists exactly what data will be collected. You must tap "I Agree" before the camera function is available. Your consent is recorded with a timestamp and the policy version. You may withdraw consent at any time by requesting account deletion.
8. Security measures
• GPS coordinates encrypted at rest: AES-256-GCM
• Passwords: salted SHA-256 hash with constant-time comparison
• Login attempts: rate-limited to 5 per 15 minutes per account
• Photos: cryptographically signed with device hardware keys (StrongBox / TEE / Secure Enclave)
• Transit: TLS 1.3
• Database: not directly accessible from the public internet
9. Data Protection Officer
Verifact Technologies Pvt. Ltd.
Grievance Officer: Verifact Data Protection Officer
Email: privacy@verifact.co.in
For complaints not resolved within 30 days, you may escalate to the Data Protection Board of India (to be constituted under DPDP 2023).
10. Changes to this policy
We will notify you of material changes by email or in-app notification at least 14 days before they take effect. Continued use constitutes acceptance of the updated policy.
Verifact Technologies Pvt. Ltd. · privacy@verifact.co.in · Version 1.0 · 10 May 2026