Chitrashakti Privacy Policy

Last updated: 14 December 2025

This Privacy Policy explains how Chitrashakti ("we", "us", or "our") collects, uses, stores, and shares personal information when you use our web application, mobile experiences, APIs, or related services (together, the "Services"). Chitrashakti is operated from India and primarily serves Indian users, but may be accessed worldwide.

By accessing or using the Services you agree to this Privacy Policy and our Terms of Service. If you do not agree, please discontinue use immediately.

1. Scope & Definitions

  • User – Anyone visiting or using the Services, including registered customers and beta testers.
  • Personal Data – Information relating to an identifiable individual as defined under the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 ("DPDP Act"), and other applicable Indian regulations.
  • Processing – Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
  • AI Outputs – Images, prompts, or textual content generated through our AI features (Genkit + Gemini, custom models).

This policy covers all processing activities for the public web app, authenticated dashboard, admin console, newsletters, customer support, and marketing campaigns.

2. Information We Collect

2.1 Data You Provide

  • Account & Authentication – Name, email address, phone number (optional), locale, profile photo, Firebase UID, and admin role flags.
  • Payment & Billing – When you purchase credits via Razorpay, we receive: transaction IDs, payment method (UPI/card/netbanking/wallet - but NOT full card numbers), order IDs, payment status, amount, receipt numbers, timestamps, and GSTIN (if provided for invoicing). We never store full credit card numbers, CVV, or card expiry dates – this information is handled exclusively by Razorpay's PCI DSS Level 1 compliant infrastructure. Payment failures and error codes may be logged for support purposes.
  • Content & Uploads – Text prompts, reference images, feedback, support tickets, or survey responses you submit.
  • Communications – Emails or chat messages with our support team, beta-program agreements, testimonials (with consent).

2.2 Data Collected Automatically

  • Usage Analytics – IP address, device/OS info, browser type, referral URL, pages visited, buttons clicked, session duration. Captured via Firebase Analytics, Cloud Logging, and custom instrumentation.
  • Generated Assets Metadata – Creation timestamps, template names, image resolution, success/error status, credit consumption.
  • Cookies & Local Storage – Authentication tokens, language preference, A/B testing buckets, rate-limit markers.

2.3 Third-Party Sources

  • Firebase Authentication for social login profile data (according to provider settings).
  • Publicly Available Information for brand verification (e.g., company websites, social profiles) when onboarding enterprise accounts.

We do not intentionally collect data from children under 18. If you believe a minor has provided us data, contact us (Section 14) and we will delete it.

3. How We Use Personal Data

  1. Account Provisioning & Security – Creating accounts, verifying identity, enforcing admin access controls, preventing fraud, detecting suspicious payment patterns.
  2. Service Delivery – Generating AI artwork, storing compositions in Firebase Storage, maintaining user credit balances in Firestore, queuing jobs via Upstash Redis.
  3. Payments & Billing – Processing credit purchase orders, verifying payment signatures, reconciling transactions via Razorpay webhooks, issuing invoices, calculating GST (18% as applicable), maintaining transaction records for tax compliance, handling payment disputes, and processing refunds (subject to Terms of Service).
  4. Analytics & Product Improvement – Measuring feature usage, debugging performance (Cloud Run/App Hosting logs), customizing onboarding flows, training prompt recommendations.
  5. Communications – Sending payment receipts and confirmations, credit balance notifications, updates about new features, marketing campaigns (with opt-out), service alerts, and responding to support requests.
  6. Compliance & Risk Management – Meeting legal obligations under Indian IT rules & DPDP Act, Income Tax Act (maintaining 7-year transaction records), responding to lawful requests, enforcing terms, detecting payment fraud and abuse.
  7. Research & Development – Aggregated, de-identified insights to improve AI models; we do not sell Personal Data.

4. Legal Basis for Processing

  • Consent – For marketing emails, beta-survey participation, or optional data (you may withdraw anytime).
  • Contractual Necessity – Delivering paid services, generating assets, providing customer support.
  • Legitimate Interests – Securing the platform, preventing fraud, improving performance, anonymized analytics.
  • Legal Obligations – Maintaining tax/GST records, responding to government notices, complying with DPDP Act and Indian Computer Emergency Response Team (CERT-In) directives.

5. Disclosure to Third Parties

We share Personal Data only when necessary:

RecipientPurposeData SharedLocation
Firebase (Google LLC)Authentication, Firestore, Storage, App HostingAccount info, usage logs, stored contentAsia-Southeast-1, USA (Firebase Auth)
Razorpay Software Pvt. Ltd.Payment processing, order creation, signature verificationName, email, phone (optional), order ID, amount, payment method, GSTIN (if provided), transaction statusIndia (RBI authorized)
Upstash Inc.Rate limiting, queueingIP hash, UID references, rate limit countersGlobal distributed
Google Cloud Logging/CDNServing content, security, webhook monitoringIP address, URL paths, response codes, error logsAsia-Pacific, USA
Email & Notification ProvidersTransactional emails, payment receipts, marketing updatesEmail, name, message content, transaction detailsAs per provider
Professional AdvisorsAccounting, legal, auditing, GST complianceNecessary billing records, tax documentsIndia
Law Enforcement/RegulatorsWhen legally requiredInformation requested under applicable lawAs required

All vendors are bound by contractual clauses ensuring confidentiality and compliance with Indian law plus adequate safeguards for international transfers (see Section 7).

We do not sell or rent Personal Data.

6. Cookies & Tracking Technologies

  • Required Cookies – Authentication tokens, session identifiers (first-party), Firebase ID tokens.
  • Preference Cookies – Language selection (en/hi), theme.
  • Analytics/Performance – Firebase Analytics, Google Tag Manager (if enabled).
  • Payment Cookies – Razorpay checkout widget sets temporary cookies for payment session management and fraud prevention during checkout.
  • Third-Party Scripts – Razorpay Checkout JS (https://checkout.razorpay.com), optional chat/support integrations.

You can manage cookies via browser settings; disabling essential cookies may break authentication and payment functionality.

7. Data Storage & International Transfers

Data is hosted primarily on Google Cloud regions in Asia-Southeast-1 with backups possibly replicated to other regions. When data is transferred outside India, we rely on:

  • Contractual clauses with vendors ensuring DPDP Act compliance.
  • Technical safeguards: encryption at rest (AES-256) and in transit (TLS 1.2+), strict IAM policies, audit logging.

8. Retention

  • Payment & Tax Records: Minimum 7 years from transaction date as required by Income Tax Act, 1961 and GST regulations. Includes invoices, payment orders, transaction IDs, receipts, GSTIN records, webhook logs, and payment verification signatures.
  • Credit Purchase History: Retained with active account; available in user dashboard for transparency and audit trail.
  • Generated Assets & Prompts: Retained while your account is active or until you delete them; anonymized derivatives may be kept longer for model improvement.
  • Webhook Events: Stored indefinitely for payment reconciliation and dispute resolution; includes event IDs, signatures, processed status, and error logs.
  • Rate Limit & Fraud Detection Logs: 90 days (Upstash Redis sliding window + archived logs).
  • General Logs & Analytics: Typically 12 months, unless required for security investigations or legal holds.
  • Support Conversations: Up to 3 years for reference and dispute resolution.

When retention expires, we delete or irreversibly anonymize the data, except where legal obligations require longer retention.

9. Your Rights (India & Global)

Subject to applicable law, you may:

  • Request access, correction, update, or deletion of Personal Data.
  • Withdraw consent for marketing.
  • Opt out of automated decision-making related to credit limits or abuse detection (though we may be unable to provide the Service without certain checks).
  • Lodge a complaint with the Data Protection Board of India.

Submit requests via Section 14; we will verify identity before acting.

10. Security Measures

  • Authentication: Firebase Auth with enforced email verification, MFA for admin accounts, role-based authorization (Firestore Security Rules).
  • Payment Security:
    • HMAC SHA-256 signature verification for all Razorpay webhooks and payment callbacks
    • Server-side pricing validation (canonical pricing config) to prevent amount manipulation
    • Idempotency checks to prevent double-crediting
    • Atomic Firestore transactions for credit updates
    • Rate limiting (5 orders/minute per user) to prevent payment abuse
    • Never storing sensitive payment data (full card numbers, CVV, expiry)
  • Infrastructure: Secret management via Firebase App Hosting / Secret Manager; no production secrets in code.
  • Network: Firewalls, rate limiting (Upstash Redis), and runtime logging for intrusion detection.
  • Compliance: Regular dependency patching, vulnerability scans, manual code reviews, and webhook retry mechanisms for payment reliability.
  • Data Protection: AES-256 encryption at rest, TLS 1.3 in transit, encrypted backups, strict IAM policies.

Despite best efforts, no system is 100% secure. Report suspected breaches immediately to support@chitrashakti.com.

11. Payment Processing & Refunds (Razorpay)

11.1 Payment Gateway

All credit purchases are processed through Razorpay Software Pvt. Ltd., an RBI-authorized payment aggregator registered in India. Razorpay's privacy policy applies to payment data: https://razorpay.com/privacy/

11.2 Payment Methods

We accept UPI, debit/credit cards (Visa, Mastercard, RuPay, Amex), net banking, and digital wallets via Razorpay.

11.3 Pricing & GST

  • All prices are in Indian Rupees (INR) inclusive of 18% GST.
  • Pricing is determined server-side and cannot be manipulated by clients.
  • Current pricing tiers: Trial (₹99/10 credits), Value (₹399/50 credits), Power (₹699/100 credits).
  • Prices and credit consumption rates (Standard: 1 credit, HD: 2 credits, UHD: 4 credits) may change based on operational costs without advance notice.

11.4 Payment Verification

  • Payments are verified using cryptographic signatures (HMAC SHA-256).
  • Credits are added only after successful verification via frontend callback AND/OR Razorpay webhook.
  • Webhook acts as authoritative source to prevent credit loss due to network failures.

11.5 Refund Policy

  • Digital Credits: Non-refundable once successfully credited to your account (as credits are consumable digital goods).
  • Payment Failures: If payment is deducted but credits not received within 24 hours, contact billing@chitrashakti.com with transaction ID.
  • Duplicate Charges: Refunded within 5-7 business days upon verification.
  • Technical Errors: Case-by-case review; refunds processed to original payment method within 7-10 business days.

11.6 Chargebacks

Initiating chargebacks without contacting us may result in account suspension. We maintain detailed transaction logs for dispute resolution.

12. AI-Specific Disclosures

  • Prompts and generated images may be reviewed manually to enforce community guidelines or improve safety filters.
  • Users are responsible for ensuring prompts do not infringe third-party rights or violate Indian laws on hate speech, obscenity, or IP.
  • We may use aggregated, de-identified prompts to improve models; we do not train on personal images without consent.
  • Automated moderation may restrict certain content; appeals can be submitted to our support team.

13. Third-Party Links

Our site may link to other websites (blogs, showcases, payment portals). Their privacy practices are outside our control; review each site's policy before sharing data.

14. Contact & Grievance Redressal

Data Controller – Somesh Dwivedi (Chitrashakti)

  • General Inquiries & Support: support@chitrashakti.com
  • Payment, Refund & Billing Issues: billing@chitrashakti.com (include transaction ID)
  • Postal Address: Chitrashakti Labs, 3rd Floor, [Your Office Address], Pune, Maharashtra, India.

Grievance Officer (per IT Rules 2021 & DPDP Act 2023) – Somesh Dwivedi

  • Email: support@chitrashakti.com
  • Response timeline: 24 hours acknowledgment, 15 days resolution.

For payment-specific disputes with Razorpay, you may also contact: support@razorpay.com

15. Updates

We may update this Privacy Policy to reflect product changes or legal requirements. The "Last updated" date will change, and significant updates may be emailed or shown in-app. Continued use after updates constitutes acceptance.

16. Acceptance

By creating an account, purchasing credits, or using any Services, you confirm that you have read and understood this Privacy Policy and consent to the described practices.