How ParivarBook collects, uses, stores, shares, and protects your personal data
IMPORTANT NOTICE: THIS IS A TEMPLATE, NOT LEGAL ADVICE. This document has been prepared as a comprehensive drafting template based on information about the ParivarBook application and the compliance approach we have chosen. It does not constitute legal advice and does not create a lawyer/client relationship. Data-protection law in India (the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025), the EU/UK General Data Protection Regulation, and the US Children's Online Privacy Protection Act are evolving, and their application depends on facts specific to the business. You must have this policy reviewed, adapted, and approved by a qualified lawyer admitted in the relevant jurisdiction(s) before you publish or rely on it.
1.1. This Privacy Policy ("Policy") describes how ParivarBook ("we", "us", "our"), the publisher and operator of the ParivarBook mobile application and associated website (together, the "App", the "Platform", or the "Service"), collects, uses, stores, shares, discloses, retains, secures, and otherwise processes personal data relating to you.
1.2. ParivarBook is a free Gujarati-language family and samaj (community) directory application. Its purpose is to help members of a defined village or samaj community maintain an accurate, private, community-only roster of one another, to visualise multi-generation family relationships, to celebrate and organise community life (birthdays, community Snehmilan gatherings, memorials, sports, and student achievements), and to keep transparent records of community donations and accounts. The App is offered in Gujarati and English.
1.3. We take the privacy, dignity, and safety of our community members seriously, and we take special care with children. Because our users belong to close-knit family and community networks, and because the data we hold (names, phone numbers, photographs, family relationships, and, optionally, certain sensitive details) is inherently personal, we have designed the App around the principles of data minimisation, community-only visibility, informed consent, and strong protection for minors.
1.4. We are the Data Fiduciary (as that term is used under India's Digital Personal Data Protection Act, 2023) in respect of the personal data processed through the App. For users in the European Union / European Economic Area or the United Kingdom, we act as the data controller under the applicable General Data Protection Regulation.
1.5. This Policy should be read together with any in-app notices, consent screens, permission prompts, and our Terms of Service / Terms of Use. Where an in-app notice provides specific detail about a particular processing activity, that notice supplements this Policy. In case of conflict between this Policy and a specific in-app consent notice governing a discrete processing activity, the more privacy-protective provision prevails.
1.6. Contact details:
Name: ParivarBook
Location: India
Grievance / Data Protection contact: Grievance Officer (see Section 18 and Section 25)
Email: [email protected]
Phone / WhatsApp: +91 89802 02060
Website: https://parivarbook.com
In this Policy, unless the context requires otherwise, the following terms have the meanings set out below. Terms defined in the DPDP Act, 2023 carry the meaning given to them under that Act.
2.1. "App" / "Platform" / "Service" means the ParivarBook mobile application (Android, Google Play ID parivarbook.com), the website at https://parivarbook.com, and all related features, modules, and services operated by ParivarBook.
2.2. "Personal Data" means any data about an individual who is identifiable by or in relation to such data. Under the GDPR, this corresponds to "personal data" relating to an identified or identifiable natural person.
2.3. "Sensitive Data" / "Special Category Data" means personal data that requires heightened protection. The DPDP Act does not create a separate statutory "sensitive personal data" category, but this Policy treats certain fields, such as blood group (health-related data), marital status, photographs, date of birth, and data revealing community/caste (samaj) affiliation, as sensitive and applies elevated safeguards to them. For the avoidance of doubt, photographs are stored and displayed as ordinary images for identification within the community; they are not processed as biometric data, are not subjected to facial-recognition, facial-geometry extraction, or biometric-matching, and are not used to generate any biometric template or identifier (see Section 4.7). Under the GDPR, "special category data" includes data concerning health and (where applicable) data revealing religious, community, or similar affiliations, and is processed only with explicit consent or another Article 9 basis.
2.4. "Data Principal" means the individual to whom the personal data relates. Where the individual is a child, this includes the child's parent or lawful guardian; where the individual is a person with disability, it includes their lawful guardian.
2.5. "Data Fiduciary" means the person who, alone or with others, determines the purpose and means of processing personal data. ParivarBook is the Data Fiduciary for the purposes of this Policy. (Equivalent to "data controller" under the GDPR.)
2.6. "Data Processor" means any person who processes personal data on behalf of, and under the instructions of, a Data Fiduciary. (Equivalent to "processor" under the GDPR.)
2.7. "Child" means, for the purposes of the DPDP Act, any individual who has not completed eighteen (18) years of age. For the purposes of the US COPPA, "child" means an individual under thirteen (13) years of age. For GDPR child-consent purposes, the relevant age is as set by the applicable EU Member State (between 13 and 16) or the UK (13). Where those thresholds differ, we apply the most protective standard applicable to the user.
2.8. "Guardian" / "Parent" means a lawful parent or a legal guardian of a child, who is entitled to provide Verifiable Parental Consent and to exercise a child's rights on the child's behalf.
2.9. "Verifiable Parental/Guardian Consent" means consent obtained through a process reasonably designed, in light of available technology and consistent with the DPDP Rules, 2025, to ensure that the person providing consent is in fact the parent or lawful guardian of the child and is a verifiable, identifiable adult, in the manner required by the DPDP Act and Rules (and, for diaspora users, COPPA / GDPR-K). The concrete verification method is described in Section 8.
2.10. "Processing" means any wholly or partly automated operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, transmission, dissemination, alignment, restriction, erasure, or destruction.
2.11. "Consent" means any freely given, specific, informed, and unambiguous indication of the Data Principal's wishes by which they, through a clear affirmative action, signify agreement to the processing of their personal data for a specified purpose.
2.12. "Community" / "Samaj" means the specific village and/or samaj group to which a member belongs and within which member data is shared under the community-only visibility model described in Section 11.
2.13. "Committee" / "Admin" means an authorised village or samaj committee member or administrator who onboards or manages community rosters and who may route or remind members to claim and consent to their profiles, but who cannot provide consent on behalf of any child (see Sections 7 and 8).
2.14. "Claim Your Profile" means the process by which a Data Principal (or, for a child, their parent/guardian) takes ownership of a minimally pre-populated profile entry, verifies identity, and provides their own consent.
2.15. "Consent Manager" means a person registered with the Data Protection Board of India who, under the DPDP Act, enables a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Our current position on Consent Managers is stated in Section 7.9.
2.16. "DPDP Act" means the Digital Personal Data Protection Act, 2023, together with the DPDP Rules, 2025, and any amendments, notifications, or clarifications thereunder.
2.17. "Data Protection Board" / "Board" means the Data Protection Board of India established under the DPDP Act.
2.18. "Significant Data Fiduciary" / "SDF" means a Data Fiduciary or class of Data Fiduciaries notified as such by the Central Government under Section 10 of the DPDP Act, having regard to factors such as the volume and sensitivity of personal data processed, risk to Data Principals, and impact on the sovereignty, integrity, electoral democracy, security, or public order of India.
2.19. "GDPR" means Regulation (EU) 2016/679 (EU GDPR) and/or the UK GDPR and Data Protection Act 2018, as applicable.
2.20. "COPPA" means the US Children's Online Privacy Protection Act and its implementing rule.
2.21. "Firebase" / "Google Services" means the Google Firebase suite (Firestore, Realtime Database, Authentication, Cloud Storage, Cloud Messaging/FCM, and Analytics) and related Google Cloud infrastructure used as processing infrastructure for the App.
2.22. "isMinor gating" / "age-based technical gating" means the technical control by which the App classifies a Data Principal as a minor (under 18) or adult and, on that basis, automatically suppresses analytics, diagnostics, behavioural processing, and advertising for minors (see Sections 4.13, 8.4, and 9.3).
This Section states how you accept this Policy and how, and to what extent, you give consent under the DPDP Act. It applies at the very start of your use of ParivarBook and should be read before the detailed Sections that follow.
2A.1. Acceptance by a clear affirmative action. You accept this Policy, and you give your consent to the processing described in it, through a clear affirmative action. That action is any of the following: (a) tapping "Agree" on the consent screen shown to you at first use of the App; (b) creating or claiming a profile; or (c) continuing to use the App after being shown this Policy and the in-app Notice. If you do not agree, please do not tap "Agree", do not create or claim a profile, and discontinue use of the App.
2A.2. What your consent means under the DPDP Act. Your consent under the DPDP Act is given by that explicit affirmative action together with the itemized Notice we present to you (Section 7A). On that basis, your consent is free, specific, informed, and unambiguous, and it is limited to the purposes stated in the Notice and in Section 6. We do not treat mere passive use of the App as blanket consent to everything. Your consent covers only what the Notice states, and nothing more; for any purpose the Notice does not cover, we will provide a fresh Notice and, where required, seek fresh consent (Sections 6.16 and 7A.4).
2A.3. Your right to withdraw consent. You may withdraw your consent at any time. Withdrawal is designed to be as easy as giving consent was, and it takes effect going forward (it does not affect the lawfulness of processing carried out before you withdrew). The means to withdraw are set out in Section 7.6 and are carried in the in-app Notice itself.
2A.4. Your confirmations about age. By accepting this Policy, you confirm that:
(a) you are 18 years of age or older; or
(b) you are between 13 and 17 years of age and a parent or lawful guardian has given Verifiable Parental/Guardian Consent for your use of the App through the in-app parent-approval flow (Section 8); and
(c) the age information you provide is true, and you will not misrepresent your age or the age of any person whose profile you create or manage.
2A.5. Children carve-out (anyone under 18). For any individual under 18, ParivarBook does not rely on the child's own consent. Only Verifiable Parental/Guardian Consent applies (Section 8). Regardless of any consent given, whether by a child or by a parent or guardian, we do not carry out behavioural tracking, behavioural monitoring, profiling, or targeted advertising for anyone under 18 (Sections 8.5 and 21.2). This protection cannot be waived by consent.
3.1. What this Policy covers. This Policy applies to all personal data processed by us through the App and website, including data entered by members, by parents/guardians on behalf of children, and by community committees/admins during onboarding, and data generated automatically in the course of providing the Service (as limited by Section 4 and Section 9).
3.2. Who this Policy applies to. This Policy applies to:
(a) Adult members (18 years and older) who claim and use their own profiles;
(b) Adolescent users aged 13 to 17, who may use the App only after Verifiable Parental/Guardian Consent (see Section 8);
(c) Children under 13, who are not users of the App and appear only as parent/guardian-managed data-subjects;
(d) Parents and guardians who manage a child's data;
(e) Committee members / administrators who onboard and manage community rosters; and
(f) Visitors to our website.
3.3. Geographic scope. The App is primarily directed at communities located in India. However, many samaj communities have members in the diaspora (Non-Resident Indians and persons of Indian origin abroad). Accordingly:
(a) For users and data subjects in India, the DPDP Act, 2023 is the primary governing law.
(b) For users and data subjects in the EU/EEA or the UK, the GDPR applies additionally, and this Policy is to be read as extending equivalent rights and protections to them (see Sections 14 and 17).
(c) For US-based children under 13, COPPA applies additionally (see Section 8).
3.4. Google Play age targeting. In line with our compliance model, the App is targeted to users aged 13 and above and is configured on Google Play across the 13 to 15, 16 to 17, and 18+ target-age bands. It is not directed to children under 13 as users.
3.5. Third-party links. The App and website may contain links to third-party websites or services (for example, a sponsor's website). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. Please review their policies separately.
We practise data minimisation and collect only what is necessary for the community-directory purposes described in this Policy. The categories below describe the maximum scope of data the App may hold; not every field applies to every member, and several fields are optional.
4.1. Identity data.
(a) Full name (and samaj/surname);
(b) Date of birth and/or age;
(c) Gender.
4.2. Contact data.
(a) One or more phone numbers (including a number used for OTP-based sign-in);
(b) Postal/residential address (optional);
(c) Village/native place.
4.3. Community / samaj data.
(a) Village and samaj/community affiliation;
(b) Surname and family/clan grouping;
(c) Membership status within the community roster.
4.4. Family-relationship data.
(a) Multi-generation family-tree relationships (for example, parent, child, spouse, sibling, and extended-family links) that connect members to one another.
4.5. Optional sensitive / special-category data. Provided at the member's (or guardian's) discretion:
(a) Blood group (treated as health-related data);
(b) Marital status;
(c) Photographs of the member (profile photo; treated as sensitive because facial images can identify individuals).
Where such data is provided, it is processed with elevated safeguards and, for diaspora users, on the basis of explicit consent under GDPR Article 9.
4.6. Children's data. For a child under 18 whose profile is managed by a parent/guardian, we may hold the child's name, date of birth/age, gender, village/samaj, family relationships, and, only if the parent/guardian chooses, photograph and other optional fields. Before Verifiable Parental/Guardian Consent is obtained, only minimal data (the name) is displayed, especially for minors (see Sections 7 and 8).
4.7. Photos and image data. Photographs uploaded by members or guardians (profile photos; images used in the passport-photo/ID-maker, greeting cards, memorial Shradhanjali cards, event content, and the like) are stored and displayed as ordinary images. We do not use facial-recognition or biometric-matching technology on these images, do not extract facial geometry or any biometric template, and do not process photographs as biometric data.
4.8. Content and activity within community modules. Data you enter or generate when using specific features, for example:
(a) Birthday reminders / greeting cards (uses date-of-birth data already held);
(b) Snehmilan community events: attendance, RSVPs, event details;
(c) Donation / donor tracking and donor "hisab": donor name, amount, date, and related account records maintained for community-transparency purposes;
(d) Shradhanjali memorial cards: details of a deceased community member (name, dates, photograph, tribute text);
(e) Cricket tournament module: team/player entries, fixtures, scores;
(f) Seasonal student-result leaderboard: student name, community, result/marks, and ranking (published within the community only).
4.9. Device and technical data (adults only, and limited).
(a) Device identifiers, app version, operating-system version, and basic diagnostic/crash information necessary to keep the App working and secure;
(b) Firebase Cloud Messaging (FCM) token for push notifications;
(c) Authentication metadata associated with OTP sign-in.
We do not collect device/technical, usage, or diagnostic data for behavioural tracking, and we do not collect analytics or diagnostic data for any user under 18 (see Sections 8 and 9).
4.10. Contacts permission (optional). If (and only if) you grant the relevant device permission, the App may access your device contacts to help you find or connect community members. This access is optional, is used only for the stated purpose, is not used to build advertising profiles, and can be revoked at any time in your device settings. We do not upload your entire address book for unrelated purposes.
4.11. Usage and diagnostic data (adults only). Aggregate, non-behavioural usage and diagnostic information (for example, which features are used, crash reports) may be processed for adult users only to maintain and improve the Service. Minors are excluded from all such collection.
4.12. We do not knowingly collect payment-card data, precise real-time geolocation for tracking, government-ID numbers beyond what a member voluntarily includes in a photo they create with the ID-maker, or any data category not described in this Policy.
4.13. Age-based technical gating (how "adults only" is enforced). The App maintains an internal age classification (an isMinor flag / neutral age-gate) derived from the date of birth or age recorded for each Data Principal. This control operates automatically to suppress analytics, diagnostics, behavioural processing, and advertising for any Data Principal classified as a minor (under 18), so that the adults-only limitations in Sections 8.4, 9.3, and 10.3 are enforced technically and not merely as policy statements. The mechanics of this control are documented in our internal compliance records.
5.1. Self-entry by adult members. Adult members enter and edit their own data directly through the App after claiming their profile and providing consent.
5.2. Committee / community onboarding. Village or samaj committees/admins may create initial roster entries during onboarding so that a community directory can be established. Before a profile is claimed and consented to, we display only minimal data (the name), and this is applied especially strictly to minors. Committee-entered data remains limited and non-visible beyond the minimum until the relevant Data Principal (or a child's parent/guardian) claims the profile and provides consent (see Sections 7 and 8).
5.3. "Claim your profile" model. A Data Principal claims a pre-created entry, verifies identity (for example, via phone-OTP authentication), completes/corrects the data, sets visibility preferences, and provides their own affirmative consent.
5.4. Parent/guardian entry for a child. For any individual under 18, data is entered and managed by a parent or lawful guardian, who provides Verifiable Parental/Guardian Consent. A committee/admin may route or remind the guardian to do so but cannot consent on the child's behalf.
5.5. Automatic collection. Certain limited technical data (Section 4.9) is generated automatically when the App runs, for example an FCM token for notifications, app/OS version, and crash diagnostics, subject to the minor-exclusion rule in Section 8 and the age-based technical gating in Section 4.13.
5.6. Third-party sign-in / infrastructure. Sign-in uses Firebase phone-OTP Authentication; the associated phone number and authentication metadata are collected through this process.
We process personal data only for the following specified, explicit, and legitimate purposes:
6.1. To create, maintain, and display a community-only member directory for your village/samaj.
6.2. To build and display multi-generation family trees and relationship links among members.
6.3. To provide birthday reminders and greeting cards to community members.
6.4. To organise and manage Snehmilan community events, including invitations, RSVPs, and attendance.
6.5. To record and display community donations, donor tracking, and donor "hisab" for transparency of community accounts.
6.6. To create and share Shradhanjali memorial cards honouring deceased community members.
6.7. To operate the cricket tournament module (teams, fixtures, scores).
6.8. To operate the seasonal student-result leaderboard within the community.
6.9. To provide the passport-photo / ID-maker utility (image processing on the member's own photo, at the member's request).
6.10. To send push notifications relating to the above features (for example, birthday reminders, event updates), subject to your notification preferences.
6.11. To authenticate users and secure accounts (phone-OTP sign-in).
6.12. To operate, maintain, secure, debug, and improve the App, for adult users only in respect of diagnostic/usage data.
6.13. To communicate with you about the Service, respond to your requests, and handle grievances.
6.14. To display our own or directly-sold, non-targeted local sponsor banners to adult users (see Section 10), never to users under 18.
6.15. To comply with legal obligations and to establish, exercise, or defend legal claims, and to protect the safety, rights, and property of members, the community, ParivarBook, and the public.
6.16. We will not process your personal data for any new purpose that is incompatible with those above without providing notice and, where required, obtaining fresh consent.
7.1. Primary basis: consent (DPDP Act). Our primary legal basis for processing under the DPDP Act is your consent, obtained through a clear affirmative action (an explicit tick/tap on a consent control), accompanied by the itemized Notice described in Section 7A. Consent is limited to such personal data as is necessary for the specified purpose. For the avoidance of doubt, this consent is given by the explicit affirmative tick or tap (Section 2A), and not by mere passive use of the App; it covers only what the Notice states.
7.2. Adults consent for themselves. Each adult Data Principal claims and consents to their own profile via an affirmative tick and notice.
7.3. Parents/guardians consent for children. For any Data Principal under 18, a parent or lawful guardian provides Verifiable Parental/Guardian Consent (see Section 8). An Admin/committee member may route or remind but cannot consent for a child.
7.4. Minimal data before consent. Until a profile is claimed and consented to, we display only minimal data (the name). This is applied especially strictly to minors.
7.5. Committee-entered data is limited until claimed. Roster entries created by committees during onboarding remain limited (minimal display, restricted use) until the Data Principal (or a child's guardian) claims the profile and gives consent.
7.6. Right to withdraw consent. You may withdraw your consent at any time, and the ease, effort, and number of steps required to withdraw consent shall be comparable to those required to give it. You may withdraw through the App's in-app controls or by contacting the Grievance Officer; links/means to withdraw consent are also carried in the Notice itself (Section 7A). Withdrawal does not affect the lawfulness of processing carried out before withdrawal. On withdrawal, we (and our Data Processors) will cease the relevant processing within a reasonable time and, where appropriate, erase or restrict the data, subject to any legal-retention obligation (see Section 16).
7.7. Additional GDPR bases (diaspora). For users in the EU/EEA/UK, our lawful bases under the GDPR are: consent (Article 6(1)(a)); contract/steps at your request where you use a feature (Article 6(1)(b)); legitimate interests for security and core directory functionality where they do not override your rights (Article 6(1)(f)); and legal obligation (Article 6(1)(c)). For special-category data (for example, blood group, images, community affiliation), we rely on your explicit consent (Article 9(2)(a)). For children in the EU/UK, we rely on Article 8 (verifiable parental consent below the applicable age of digital consent).
7.8. No bundled or coerced consent. Consent is sought separately for optional/sensitive fields (for example, blood group, marital status, photograph); declining them does not prevent core directory participation, and consent is not a condition for unrelated services.
7.9. Consent Managers. The DPDP Act contemplates that a Data Principal may give, manage, review, and withdraw consent through a Consent Manager registered with the Data Protection Board of India. As at the Effective Date, we do not use a Consent Manager; consent is obtained and managed directly, through the App's own consent and preference controls and the Grievance Officer. If, in future, we integrate with a registered Consent Manager, we will update this Policy and provide the relevant notice.
7A.1. Standalone itemized notice. Before or at the time of seeking your consent, we provide you with a clear, plain-language Notice, presented independently of any other information, that itemizes the following (consistent with Section 5 of the DPDP Act and the First Schedule of the DPDP Rules, 2025):
(a) an itemized description of the personal data sought to be collected (for example: full name, phone number(s), date of birth, gender, village/native place, samaj/surname, family-tree relationships, and, where you choose, address, marital status, blood group, and photograph);
(b) the specified purpose for which the personal data is proposed to be processed, together with an itemized description of the goods or services to be provided or uses to be enabled by such processing (for example: inclusion in and display of the community directory, family-tree visualisation, birthday reminders and greeting cards, Snehmilan event management, donation/donor "hisab" records, Shradhanjali memorial cards, cricket tournament module, student-result leaderboard, passport-photo/ID-maker, push notifications, and authentication);
(c) the manner in which you may exercise your rights under Section 6(4) of the DPDP Act (withdrawal of consent) and Section 13 (grievance redressal), including the in-app controls and the Grievance Officer's contact details;
(d) the manner in which you may make a complaint to the Data Protection Board of India; and
(e) a description of, and the means to exercise, the right to withdraw consent, with the withdrawal mechanism made as easy as giving consent (Section 7.6).
7A.2. Where the Notice is carried. The Notice content in Section 7A.1 is presented in-app at the point of consent (on the claim-your-profile and consent screens) and is cross-referenced by this Policy; the in-app Notice carries active links/controls to withdraw consent, exercise rights, and contact the Grievance Officer and the Board.
7A.3. Language of the Notice (Eighth Schedule right). In accordance with Section 5(3) of the DPDP Act, the Notice and this Policy are made available in English and Gujarati, and you have the right to access the Notice in English or in any language specified in the Eighth Schedule to the Constitution of India. To request the Notice in another Eighth Schedule language, please contact the Grievance Officer (Section 18).
7A.4. Notice on change of purpose. If we intend to process your personal data for a purpose that is not covered by an earlier Notice, we will provide a fresh Notice and, where required, obtain fresh consent (Section 6.16).
This Section sets out, in full detail, how we treat individuals under 18. Under the DPDP Act, everyone under 18 is a "child." We apply the most protective standard across DPDP, COPPA, and GDPR-K.
8.1. Governing standard: well-being of the child (DPDP Section 9(1)). We process a child's personal data only in a manner that is not detrimental to the well-being of the child. This "well-being" standard governs all processing of children's data under this Policy and applies in addition to (and independently of) the specific prohibitions in Section 8.4.
8.2. Under-13 individuals are NOT users. Children under 13 cannot register, sign in, or independently use the App. They may appear in the community directory only as data-subjects whose profiles are created and managed by a parent or lawful guardian, and only with Verifiable Parental/Guardian Consent.
8.3. Ages 13 to 17 may use the App only after Verifiable Parental/Guardian Consent. An adolescent aged 13 to 17 may use the App only after a parent/guardian has completed the in-app parent-approval flow, which is logged/recorded. Without such logged consent, a 13 to 17 individual is not permitted to operate the App. This parental consent is given by the guardian's own explicit affirmative action in that flow (Section 2A) and cannot arise from a child's passive use of the App.
8.4. Verifiable Parental/Guardian Consent process and due diligence. Before enabling any under-18 profile or 13 to 17 user access, we obtain consent through a process reasonably designed, and consistent with the due-diligence expectation of the DPDP Rules, 2025, to confirm that the consenting person is an identifiable, verifiable adult who is the parent/lawful guardian of the child. Depending on the circumstances, such verification may rely on one or more of:
(a) reliable identity and age details already available with us (for example, an existing verified adult member's account and phone-OTP-authenticated identity);
(b) reliable identity/age data voluntarily provided by the consenting adult; and/or
(c) a virtual token mapped to verified identity/age (including, where adopted, a token issued by an entity entrusted by law or by a Digital Locker service provider, that is, a DigiLocker-style mechanism).
We retain a log of that consent (who consented, for whom, when, and for what purpose). A committee/admin may route or remind the guardian but cannot provide the consent. The concrete operational method is documented in our internal compliance records, which this Policy incorporates by reference for the mechanics of verification.
8.5. Absolute bar on tracking, monitoring, profiling, and targeted ads to under-18 users (DPDP Section 9(3)). In line with Section 9(3) of the DPDP Act, we do not, under any circumstances:
(a) undertake behavioural tracking, monitoring, or profiling of any user under 18;
(b) perform analytics on any user under 18;
(c) serve targeted or behaviourally-tailored advertising to any user under 18.
This prohibition is absolute and cannot be waived or "cured" by consent, not even parental consent. It is enforced technically by the age-based gating described in Section 4.13.
8.6. Minimal data for minors. For minors, we display only the name before consent, and thereafter only the fields the guardian chooses to enable, subject to community-only visibility and per-field controls (Section 11).
8.7. Parental management and rights. A parent/guardian may access, correct, complete, restrict, or erase the child's data, withdraw consent, and adjust visibility at any time, by using the App or contacting the Grievance Officer.
8.8. Auto-maturation at 18. When a child reaches 18 years of age, the child's profile automatically converts into a standard adult profile. At that point, the (now adult) member assumes control of their own profile and consent, and the special child-protections in this Section cease to apply (while the general no-third-party-ad-network and community-only-visibility principles continue to apply to all members).
8.9. COPPA note (US, under 13). For children under 13 in the United States, we comply with COPPA: no collection from under-13s except from a parent/guardian who provides verifiable parental consent; parents may review, request deletion of, and refuse further collection of their child's information by contacting the Grievance Officer; and we do not condition a child's participation on disclosing more information than is reasonably necessary.
8.10. GDPR-K note (EU/UK). For children in the EU/EEA/UK, we comply with GDPR Article 8 and the applicable national age of digital consent (13 to 16). Below that age, processing based on consent requires verifiable authorisation by the holder of parental responsibility. We provide child-facing information in clear, plain language where relevant.
8.11. No knowing violation. If we learn that an under-13 has registered as a user, or that a 13 to 17 user is operating the App without logged parental consent, we will promptly suspend the access and/or delete the associated user account and require proper parental consent before any further processing.
9.1. App context. As a mobile application, ParivarBook does not rely on traditional web browser cookies for its core functionality. The website at https://parivarbook.com may use cookies and similar technologies as described in Section 9A.
9.2. SDKs / infrastructure. The App integrates Google Firebase components as processing infrastructure: Firestore, Realtime Database, phone-OTP Authentication, Cloud Storage, Cloud Messaging (FCM), and Analytics. These are used to provide, secure, and operate the Service.
9.3. Firebase Analytics: adults only, minors excluded. Where analytics are used, they are limited to adult users and used to keep the App functioning and to improve it. No analytics, tracking, monitoring, or profiling is performed on any user under 18 (Section 8.5), and this exclusion is enforced by the age-based technical gating in Section 4.13. We do not use analytics for cross-app or cross-site behavioural advertising.
9.4. No third-party advertising or tracking SDKs. We do not embed third-party advertising-network SDKs, cross-app tracking SDKs, or data-broker tags in the App.
9.5. Push notifications. FCM is used to deliver notifications (for example, birthday reminders, event updates). You can control notifications through in-app settings and your device settings.
9A.1. Scope. This Section describes cookies and similar technologies used on our website at https://parivarbook.com. Cookies are small text files stored on your device; similar technologies include local storage, pixels, and SDKs.
9A.2. Consent banner (EU/UK-facing surface). For visitors in the EU/EEA/UK (and elsewhere where required), the website presents a cookie-consent banner on first visit. Strictly necessary cookies are set without consent (as they are essential to operate the site); all non-essential cookies (if any) are set only after you give affirmative consent through the banner, and you may accept, reject, or granularly manage categories and withdraw consent at any time via the banner or a "Cookie Settings" link. We do not use pre-ticked boxes for non-essential cookies.
9A.3. Categories of cookies we may use.
| Category | Purpose | Set without consent? | Typical retention |
|---|---|---|---|
| Strictly necessary | Core site operation, security, load-balancing, remembering your cookie choices | Yes (essential) | Session to 12 months |
| Functional / preferences | Remembering language (Gujarati/English) and display preferences | No, consent required | Up to 12 months |
| Performance / analytics (aggregate) | Understanding aggregate, non-behavioural site usage to improve the site (adult visitors only; not used for advertising) | No, consent required | Up to 14 months |
| Advertising / third-party tracking | Not used. We do not set third-party advertising or cross-site tracking cookies. | Not applicable, not used | Not applicable |
9A.4. No third-party ad/tracking cookies. Consistent with Sections 9.4 and 10, we do not deploy third-party advertising-network or cross-site tracking cookies on the website.
9A.5. Managing cookies in your browser. In addition to the on-site banner, you can control or delete cookies through your browser settings. Blocking strictly necessary cookies may impair site functionality.
9A.6. Minors. We do not use cookies or similar technologies to profile, track, or advertise to any visitor under 18 (Section 8.5).
10.1. In-house / directly-sold banners only. Any advertising in the App consists solely of our own promotions or banners from local sponsors sold directly by us (for example, a local solar company or coaching centre). These are generic, age-appropriate, and non-targeted.
10.2. No third-party ad networks. We do not use any third-party advertising networks, programmatic exchanges, real-time bidding, or ad-tech intermediaries. Sponsor banners are not personalised using your behaviour or personal data.
10.3. No ads to minors, absolute. We do not show advertising of any kind, targeted or otherwise, in a manner that involves tracking or profiling of users under 18, and we do not serve targeted advertising to any user under 18 under any circumstances (Section 8.5). This is enforced by the age-based technical gating in Section 4.13.
10.4. No sale of data for advertising. We do not sell, rent, or share personal data with advertisers or data brokers (Section 12).
11.1. Community-scoped visibility. Member data is shown only within the same village/samaj community and is not published to the open/public internet. Members of one community cannot browse another community's roster.
11.2. Per-field visibility controls. You (or a guardian, for a child) can control the visibility of individual fields, for example choosing whether address, marital status, or blood group is shown to the community.
11.3. Phone-number masking. Phone-number masking is available, allowing you to hide or partially mask your phone number from the community view while still participating in the directory.
11.4. Sensitive content within community. Photographs, memorial cards, donation records, and leaderboards are displayed within the community context only, consistent with your and the community's visibility settings.
11.5. Member responsibility. Because the directory operates within a community of real people, please share only information you are comfortable being seen by your community, and use the visibility controls to reflect your preferences.
12.1. We do NOT sell personal data. We do not sell, rent, trade, or otherwise monetise your personal data.
12.2. Within your community. Data is shared with other members of your same village/samaj community, subject to your visibility controls (Section 11).
12.3. Service providers / processors. We share data with vetted processors who process it only on our instructions to provide the Service, principally Google Firebase / Google Cloud (Section 13). Such providers are bound by confidentiality and data-protection obligations.
12.4. Legal, safety, and regulatory disclosures. We may disclose personal data where required to:
(a) comply with applicable law, legal process, or a lawful request from a competent authority (including the Data Protection Board of India or a court of law);
(b) enforce our Terms or investigate potential violations;
(c) protect the rights, safety, or property of members, the community, ParivarBook, or the public; or
(d) prevent or address fraud, security, or technical issues.
12.5. Business transfers. In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of that transaction, subject to the recipient continuing to honour this Policy or providing equivalent protection; we will notify affected Data Principals where required by law.
12.6. Community committees. Committees/admins may access roster data for legitimate community-administration purposes, subject to the limits in Sections 7 and 8 (including the rule that they cannot consent for children).
12.7. De-identified data. We may use and share irreversibly de-identified or aggregated information, that is, information processed so that it can no longer reasonably be linked back to, or used to identify, any individual (for example, community-level counts and statistics), and excluding any profiling of minors. This de-identification is a good-practice measure we have adopted; it is not a claim that personal data ceases to be governed by the DPDP Act merely because it has been de-identified. Where de-identification is not irreversible, the underlying data continues to be treated as personal data and protected under this Policy.
13.1. Google Firebase / Google Cloud as processor. We use Google Firebase and Google Cloud Platform as our principal Data Processor / sub-processor for hosting and infrastructure, including:
(a) Cloud Firestore and Realtime Database for structured data storage;
(b) Firebase Authentication (phone-OTP) for sign-in and identity verification;
(c) Cloud Storage for storage of photos and files;
(d) Cloud Messaging (FCM) for push notifications;
(e) Firebase Analytics for limited, adult-only diagnostics/usage (minors excluded).
13.2. Custom REST API. Our own custom REST API backend, operated by or for us, processes and routes data between the App and the storage/infrastructure layer.
13.3. Processor obligations. Processors act only on our documented instructions, are subject to confidentiality and security commitments, and are not permitted to use your personal data for their own independent purposes in connection with our Service. Google's processing is further governed by Google's applicable data-processing and security terms.
13.4. No third-party ad or tracking processors. We do not engage advertising-network or data-broker processors (Sections 9 and 10).
14.1. Diaspora / cross-border context. Because samaj communities include diaspora members (NRIs / persons of Indian origin), and because our cloud infrastructure (Google Firebase/Google Cloud) may store or process data in data centres located outside your country, your personal data may be transferred to, stored in, or accessed from jurisdictions other than your own, including outside India.
14.2. DPDP transfers. We transfer personal data outside India in a manner consistent with the DPDP Act and any restrictions the Central Government may notify regarding transfers to specified countries.
14.3. GDPR transfers. For personal data transferred from the EU/EEA/UK, we rely on appropriate safeguards recognised under the GDPR, such as adequacy decisions, Standard Contractual Clauses, and the security/contractual commitments offered by our infrastructure providers, to ensure an essentially equivalent level of protection.
14.4. Safeguards. Regardless of location, we require that transferred data remain subject to the security measures in Section 15 and the confidentiality obligations in Section 13.
15.1. Reasonable security safeguards. We implement reasonable technical and organisational security safeguards appropriate to the risk, as required by the DPDP Act and good industry practice, designed to protect personal data against unauthorised access, use, alteration, disclosure, loss, or destruction, and to help prevent a personal data breach.
15.2. Measures include, without limitation:
(a) Encryption in transit for data moving between the App and our backend/infrastructure, and encryption at rest as provided by our cloud platform;
(b) Phone-OTP authentication to verify user identity at sign-in;
(c) Access controls and role-based permissions, so that community data is accessible only within the relevant community and administrative access is limited to authorised personnel;
(d) Database-layer security rules governing read/write access;
(e) Community-only visibility and phone masking as privacy-by-design controls (Section 11);
(f) Data minimisation and the minimal-data-before-consent rule;
(g) Age-based technical gating (Section 4.13) enforcing the minor exclusions;
(h) Logging of parental/guardian consent for minors;
(i) Periodic review of access rights, logs, and security configuration.
15.3. No absolute guarantee. While we take security seriously, no method of transmission or storage can be guaranteed completely secure. We cannot promise absolute security, but we work to protect your data and to respond promptly to any incident (Section 20).
15.4. Your role. Please keep your device and sign-in credentials secure, use the visibility controls, and notify us promptly of any suspected unauthorised access.
16.1. Retention principle. We retain personal data only for as long as necessary to fulfil the purposes in Section 6, to maintain the community directory while your membership is active, and to comply with legal, accounting, or regulatory obligations.
16.2. Withdrawal / erasure. On withdrawal of consent or a valid erasure request, we will delete or de-identify the relevant personal data within a reasonable period, unless retention is required by law or for the establishment/defence of legal claims (see Sections 7.6 and 17).
16.3. Inactive / unclaimed profiles. Committee-created but unclaimed entries hold only minimal data and are subject to deletion or restriction if not claimed and consented to, consistent with Section 7.
16.4. Children's data. A parent/guardian may request deletion of a child's data at any time; upon a valid request we will delete it, subject to any legal-retention requirement.
16.5. Backups. Residual copies may persist in secure backups for a limited period after deletion from live systems and will be overwritten or purged in the ordinary backup cycle.
16.6. Memorial (Shradhanjali) content. Memorial records may be retained as part of community history, subject to requests from the deceased's family/guardian and applicable law.
Subject to applicable law, you (and, for a child, the parent/guardian) have the following rights. For EU/EEA/UK users, equivalent GDPR rights apply.
17.1. Right to access / information. To obtain confirmation of, and a summary of, the personal data we process about you and the processing activities, and the identities of Data Fiduciaries/Processors with whom it has been shared.
17.2. Right to correction and completion. To have inaccurate or misleading data corrected, and incomplete data completed.
17.3. Right to updating. To have your data updated where it has changed.
17.4. Right to erasure. To request deletion of personal data that is no longer necessary for the purpose for which it was collected, subject to legal-retention exceptions.
17.5. Right to withdraw consent. To withdraw consent at any time, as easily as it was given (Section 7.6).
17.6. Right of grievance redressal. To a readily available means of grievance redressal (Section 18).
17.7. Right to nominate. To nominate, in the manner prescribed by the DPDP Act and the DPDP Rules, 2025, another individual who shall, in the event of your death or incapacity, be entitled to exercise your rights under the DPDP Act in respect of your personal data. You may make, update, or revoke a nomination by using the in-app controls (where available) or by contacting the Grievance Officer.
17.8. Additional GDPR rights (diaspora). For EU/EEA/UK users: rights to restriction of processing, to object, to data portability, not to be subject to solely automated decision-making with significant effect, and to lodge a complaint with a supervisory authority.
17.9. How to exercise your rights.
(a) Use the in-app controls (edit profile, visibility settings, phone masking, withdraw consent, delete profile), or
(b) Contact the Grievance Officer (Section 18) with your request. We may need to verify your identity before acting. We will respond within the timelines set out in Section 18 and applicable law, ordinarily without charge.
(c) We may decline or limit a request where permitted by law (for example, where it would infringe others' rights or a legal obligation requires retention); we will explain any such decision.
17.10. Duties of Data Principals (DPDP Act). The DPDP Act also imposes certain duties on Data Principals, including not impersonating another person, not suppressing material information, not registering false or frivolous grievances, and furnishing only verifiably authentic information when exercising the right to correction/erasure. We ask that you observe these duties when using the App.
18.1. Grievance Officer / Data Protection contact. We have designated a Grievance Officer to address questions, concerns, and grievances relating to this Policy and the processing of your personal data. The same role also serves as our principal data-protection point of contact for Data Principals:
Title: Grievance Officer / Data Protection Contact
Email: [email protected]
Phone / WhatsApp: +91 89802 02060
Location: India
18.2. Grievance Officer vs. Data Protection Officer. Under the DPDP Act, every Data Fiduciary must publish the contact details of a Grievance Officer (or a person able to answer questions about processing); a separate, formally-designated Data Protection Officer (DPO) is a statutory requirement only for a Significant Data Fiduciary (see Section 19A). As at the Effective Date, we are not a notified Significant Data Fiduciary and therefore have not appointed a statutory DPO; the Grievance Officer named above is the point of contact for all data-protection queries, rights requests, and grievances. If we become a Significant Data Fiduciary, we will appoint a DPO based in India and update this Policy accordingly.
18.3. Response timelines. We will acknowledge your grievance within forty-eight (48) hours of receipt and endeavour to resolve it within fifteen (15) days, or such shorter period as required by applicable law.
18.4. How to complain. Please include your name, community/samaj, the nature of the grievance, and any relevant details so we can assist you efficiently. For requests concerning a child, please identify your relationship as parent/guardian.
18.5. No fee for legitimate requests. We do not charge a fee for handling legitimate grievances or rights requests, except where permitted by law for manifestly unfounded or excessive requests.
19.1. Right to escalate. If you are not satisfied with our response to your grievance, or if we fail to respond within the applicable timelines, you have the right to lodge a complaint with the Data Protection Board of India (the "Board") established under the DPDP Act, in the manner prescribed by the DPDP Act and Rules.
19.2. Precondition. Ordinarily, you should first exhaust the grievance-redressal mechanism in Section 18 before approaching the Board.
19.3. Diaspora supervisory authorities. EU/EEA/UK users may additionally lodge a complaint with their local data-protection supervisory authority (for the UK, the Information Commissioner's Office).
19A.1. Current posture. The Central Government may notify a Data Fiduciary or a class of Data Fiduciaries as a Significant Data Fiduciary (SDF) under Section 10 of the DPDP Act, based on factors such as the volume and sensitivity of personal data processed and risk to Data Principals. As at the Effective Date, we have not been notified as an SDF and do not, on the basis of our current scale and processing, consider ourselves to fall within any notified SDF class.
19A.2. Sensitivity acknowledged. We recognise that we process personal data of minors and community/samaj (caste-adjacent) affiliation data, and we therefore voluntarily apply heightened safeguards (community-only visibility, minor exclusions, consent logging, data minimisation) irrespective of SDF status.
19A.3. If notified as an SDF. Should we be notified as a Significant Data Fiduciary, we will comply with the additional obligations under Section 10 of the DPDP Act and the DPDP Rules, 2025, which may include: appointing a Data Protection Officer (DPO) based in and responsible to management in India; appointing an independent data auditor; undertaking periodic Data Protection Impact Assessments (DPIAs) and independent audits; and observing any additional measures the Government may specify. We will update this Policy to reflect any such status.
20.1. Our commitment. In the event of a personal data breach, we will take prompt steps to identify, contain, assess, and remediate the incident.
20.2. Notification to the Board (DPDP Rules, 2025). On becoming aware of a personal data breach, we will notify the Data Protection Board of India promptly and without delay, and will follow up with updated and detailed intimation to the Board within seventy-two (72) hours of becoming aware (or such longer period as the Board may allow on request), including the prescribed particulars: the nature, extent, timing, and location of the breach, its likely consequences, the measures taken or proposed to remedy the breach and mitigate harm, and the findings as to the person who caused the breach and remedial/preventive measures implemented.
20.3. Notification to affected Data Principals (DPDP Rules, 2025). We will notify each affected Data Principal without delay, in a concise, clear, and plain manner, providing the prescribed particulars, including: a description of the breach (nature, extent, and timing); the likely consequences relevant to that Data Principal; the measures we have taken or are taking to mitigate risk; the safety measures the Data Principal can take to protect their own interests; and the contact details of the Grievance Officer / person able to answer queries on our behalf (Section 18).
20.4. GDPR breach notification (diaspora). For EU/EEA/UK personal data, we will notify the competent supervisory authority within 72 hours of becoming aware of a breach where feasible and required, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
20.5. Records. We maintain records of personal data breaches and of our assessment and response, consistent with legal requirements.
21.1. No solely-automated significant decisions. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.
21.2. No profiling of minors, absolute. We do not profile, behaviourally track, or build advertising or behavioural profiles of any user under 18, under any circumstances (Section 8.5). This cannot be overridden by consent and is enforced by the age-based technical gating in Section 4.13.
21.3. Feature logic. Features such as birthday reminders operate on data you provide (for example, date of birth) to deliver a requested function and do not constitute profiling for advertising or evaluation purposes.
22.1. Updates. We may update this Policy from time to time to reflect changes in law, technology, or our practices. The "Last Updated" date and version at the top will indicate the latest revision.
22.2. Notice of material changes. Where changes are material, we will provide reasonable notice through the App, website, or other appropriate means, and, where required by law, obtain fresh consent.
22.3. Continued use. Your continued use of the App after an updated Policy takes effect constitutes acceptance of the updated Policy, to the extent permitted by law; where consent is required, we will seek it separately by the explicit affirmative tick described in Section 2A, and we will not treat passive use alone as consent to any new or expanded processing.
23.1. Governing law. This Policy and any dispute or claim arising out of or in connection with it or its subject matter are governed by and construed in accordance with the laws of India, including the DPDP Act.
23.2. Jurisdiction. Subject to any non-waivable statutory rights (including those of the Data Protection Board and, for diaspora users, their local supervisory authorities), the courts at the place of our principal operations in India shall have exclusive jurisdiction over any dispute arising out of or relating to this Policy.
23.3. Diaspora rights preserved. Nothing in this Section deprives EU/EEA/UK or other diaspora users of the protection of mandatory consumer or data-protection laws of their country of residence.
24.1. Severability. If any provision of this Policy is held to be invalid, unlawful, or unenforceable, that provision shall be severed to the minimum extent necessary, and the remaining provisions shall continue in full force and effect.
24.2. Headings. Headings are for convenience only and do not affect interpretation.
24.3. Conflict. In case of conflict between this Policy and mandatory applicable law, the mandatory law prevails; and as between this Policy and a specific in-app Notice on a discrete processing activity, the more privacy-protective provision applies to that activity.
25.1. If you have any questions, requests, or concerns about this Policy or about how we handle your personal data, please contact us:
Data Fiduciary: ParivarBook
Grievance Officer / Data Protection Contact: Grievance Officer
Email: [email protected]
Phone / WhatsApp: +91 89802 02060
Location: India
Website: https://parivarbook.com
25.2. We are committed to working with you to resolve any concern you may have about our processing of your personal data.
ParivarBook is operated in India. This Privacy Policy is effective as of 1 July 2026.
Contact our Grievance Officer for any privacy concern, or to access, correct, or delete your data.
[email protected]