Privacy Policy

This policy describes how RightOffer ("we", "us") collects, uses, stores, and shares your personal information when you use rightoffer.in and the related motor insurance review service. We operate from India and process personal data in accordance with the Digital Personal Data Protection Act, 2023 (the "DPDP Act").

We collect only what we need to read your policy and deliver a review:

• Your motor insurance document — the PDF of your policy or renewal quote — sent to us either by uploading it directly at rightoffer.in/upload or by forwarding the email containing it to review@rightoffer.in. Either action is treated as your affirmative consent to process the document. Stored encrypted; only our parser reads its contents.
• Email address and (optionally) WhatsApp number — used to deliver your review and a sign-in link. Never sold.
• Name and profile information from Google or Apple — if you choose to sign in via those providers, we receive your verified email and name. We do not access your contacts, calendar, files, or anything else from those accounts.
• Vehicle details — make, model, variant, year, registration number, IDV, NCB, premium breakdown, add-ons, policy period, insurer, owner name and address. Extracted from the document you upload; used to anchor your review.
• Your answers to optional product questions — past claims, parking habits, renewal priorities, and similar context — collected only when you choose to answer them during the review flow.
• Basic usage data — pages visited, time spent, anonymised event logs. Used to improve the product.

We do not collect: your government ID numbers (PAN, Aadhaar), your bank account details, your credit-card information, your income, your medical history, your location beyond city/PIN, or any biometric data. The review service does not require any of these and we will never ask for them.

We use your data exclusively to:

• Generate and deliver your policy review — including the recommendations, gap analysis, and renewal context that appear in your report.
• Send delivery notifications — the review itself, sign-in codes and magic-link sign-in emails, and (only if you opt in) renewal reminders ~45 days before your policy expires.
• Improve the parser and product — aggregated and anonymised. We never sell or share personally-identifying data with third parties.
• Match you with insurer partners — coming soon — when our renewal marketplace launches, we will ask for your explicit, granular consent before sharing your policy context with any insurer partner. The audit you receive today does not depend on this and we do not share your data with insurers today.

We do not use your data to make sales calls, push insurance products to you, or share with insurers without your explicit consent.

As we expand our services, we may want to use your existing data for new purposes. We will always ask you for separate, explicit consent before doing so:

• Additional insurance verticals (e.g. health) — when we launch a new vertical, we'll surface a fresh consent screen specific to it before processing any new data type.
• Broader financial services improvements — we may build adjacent services in lending or investments over time. Any use of your data to power those services will require your further, explicit consent at the time such service launches.
• Anonymised aggregate insights for partners — we may share aggregate statistics (e.g. "X% of Audi A6 policies in Delhi miss engine-protection cover") with insurer partners, regulators, or researchers. This data is anonymised and never traceable back to you.

We share your data only with infrastructure providers that help us run the service — under strict contractual confidentiality obligations:

• Hosting and serverless compute — Vercel, for serving the site and running our application code.
• Database — Upstash, for storing your account, parsed policy details, audit reports, and renewal subscriptions.
• Document storage — Vercel Blob, for storing the original PDF you upload or forward. Documents sit encrypted at rest, scoped behind authenticated URLs.
• Email delivery — Resend, for transactional outbound messages (your review, sign-in codes, renewal reminders, and replies when you forward a policy to us).
• Inbound email processing — Postmark, for receiving emails forwarded to review@rightoffer.in. Postmark parses the email and hands the attachment to our servers; it does not retain the document long-term.
• Background job processing — Upstash QStash, for durably queueing audit work after an email is forwarded. Each queued job carries an internal reference to your forwarded document and email so we can resume if a step fails. Payloads are signed and short-lived.
• Sign-in via Google or Apple — only when you choose to use those providers; we receive your verified email and name from them. We do not push data the other way.
• AI parsing and review generation — Anthropic (Claude) to extract structured data from your policy and to compose the editorial review. Documents are sent without sales calls / marketing data; outputs are stored in our database only.
• Error monitoring — Sentry, for capturing application exceptions so we can fix bugs. Captured events may include limited context such as the route that errored and (rarely) the email of the affected user. We do not send full document contents to Sentry.

We work to keep your personal data on servers located in India. Where a sub-processor cannot offer Indian-region availability today (notably the AI provider used for parsing), we ensure adequate data protection by contract and we will move to Indian-region availability for that sub-processor as soon as it becomes available. We will never sell, license, or rent your personal data to anyone.

You have the right to:

• Access — request a copy of all personal data we hold about you.
• Correct — update inaccurate or out-of-date personal data.
• Erase — ask us to delete your account and all uploaded documents. We will delete within 30 days unless retention is required by law (e.g. tax or fraud-investigation purposes).
• Port (export) — download a structured copy of your data — your audit, your uploaded policy details, and your account record — as machine-readable JSON. Use the export button in your /me portal, or write to us if you don't have an account active.
• Withdraw consent — for renewal reminders, optional data use, or any forward-looking purpose. Withdrawing consent does not affect the lawfulness of what we did before withdrawal.
• Grievance — raise a complaint about how we handle your data.

Easiest route — open your /me portal's Data & Consent section, where you can export and delete your data directly. Or email grievance@rightoffer.in with the subject line "Data request". We aim to respond within 7 working days.

Uploaded policy documents and your audit are retained for 24 months from your last interaction, after which they are automatically purged. Account data (email, vehicle history) is retained for as long as the account is active, plus 12 months after closure for fraud and audit purposes. Anonymised aggregate data — which is no longer personal — may be retained indefinitely for product and regulatory research. You can request earlier deletion at any time, and exercising your right to erase will purge everything we are not legally required to keep.

Documents are encrypted in transit (TLS 1.2+) and at rest. Our databases sit behind authenticated APIs. We follow industry best practices for access controls, secret rotation, and incident response. In the event of a personal-data breach affecting you, we will notify you and the Data Protection Board within the timelines required by the DPDP Act.

We use a small number of first-party cookies for sign-in sessions and basic product analytics. We do not run third-party ad-tracking cookies, retargeting pixels, or behavioural profiling.

If we make material changes to this policy we will email existing users and post a notice at the top of this page for 30 days. Continued use of the service after a notice period implies acceptance.

For any privacy question or to exercise your DPDP rights, write to grievance@rightoffer.in.

Our designated Grievance Officer's name and direct contact will be added here on completion of company incorporation. Until then, all queries land in the founder's inbox and are answered personally — within 7 working days for any DPDP request.