Privacy Policy

1. Introduction & Scope

This Privacy Policy (“Policy”) describes how Veil (“we,” “us,” or “our”) collects, uses, stores, and protects the personal information of users (“you”) who access the Veil platform at veiliit.app and any associated interfaces (collectively, the “Platform”).

Veil is an anonymous social platform open exclusively to verified students of Indian Institutes of Technology (IITs) across India. Access is restricted to holders of official IIT email addresses. By registering and using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Policy and our Community Guidelines.

This Policy is governed by and compliant with the Information Technology Act, 2000 (India) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Where users are located in jurisdictions subject to the GDPR or equivalent legislation, we endeavour to uphold equivalent protections.

🔒 Anonymity is the core architectural promise of Veil. This Policy is designed to protect and enforce it at every level.

2. Legal Basis for Processing

We process your personal data only where we have a lawful basis to do so:

• Consent. You have given explicit, informed consent to this Policy before creating an account. You may withdraw consent at any time by requesting account deletion.
• Contractual Necessity. Processing is necessary to provide the Platform services you have requested — including OTP verification, profile creation, messaging, and group participation.
• Legitimate Interests. We process minimal technical data (server logs, IP addresses) for abuse prevention, rate limiting, and platform security. This processing is proportionate and does not override your fundamental rights.
• Legal Obligation. We may process or disclose data where required by a valid court order, law enforcement authority, or applicable Indian law.

3. Consent & Agreement

Registration on Veil is entirely voluntary. Before creating an account, every user is presented with a mandatory consent checkbox requiring explicit acknowledgement of this Privacy Policy and the Community Guidelines. No account is created and no OTP is dispatched until this consent is affirmatively given.

By checking the consent box and proceeding, you specifically consent to:

• Collection and processing of your IIT email address for the sole purpose of one-time-password (OTP) identity verification.
• Voluntary self-disclosure of your academic batch, branch/program, and gender, which you enter yourself during onboarding. This information is not sourced from any third-party student database or institutional list.
• Storage of your anonymous profile, messages, and activity data on our secure servers for the duration of your account.
• Display of your anonymous identity (randomly assigned name), batch, and branch to other verified users on the Platform.
• Processing of minimal technical data (IP address, browser type, timestamps) for security and abuse prevention purposes.

You may withdraw consent at any time by ceasing to use the Platform and requesting account deletion at support@veiliit.app.

4. Information We Collect

4.1 Email Address (Verification Only)

To verify your eligibility, we collect your official IIT email address (e.g., yourname@iitk.ac.in). This email is used solely to send a One-Time Password (OTP). It is never displayed to other users, indexed in search results, sold, or disclosed to third parties except as described in Section 9.

We do not collect, access, or cross-reference your email against any institutional student database, roster, or third-party list. Verification is performed exclusively through OTP delivery to your email inbox.

4.2 Self-Provided Profile Information

During onboarding, you voluntarily enter your academic batch (e.g., Y22), branch or program, and gender. This data is entirely self-reported — Veil does not import, infer, or pre-populate any of this information from any institutional source. You may also optionally set a mood status and a short bio at any time.

4.3 Communications Data

Messages sent via Direct Messages, Group Chats, Posts, and anonymous Whispers are stored in our encrypted database to enable delivery and cross-device synchronisation. Deleted messages are permanently removed from our active databases within 24 hours.

Anonymous Whispers are a special feature that allows verified IIT users to send a message without exposing their email or identity to the recipient. If the recipient is not yet registered on Veil, we may use the recipient's IIT email only to send a one-time invite email to join Veil and read the whisper. The sender remains anonymous at all times unless both parties use the mutual reveal flow.

4.4 Technical & Usage Data

We collect standard server logs including IP addresses (for abuse prevention and rate limiting), browser/device type, and action timestamps. This data is processed in aggregate, is not linked to your anonymous identity, and is purged within 30 days.

4.5 Data We Do NOT Collect

• We do not collect your real full name, phone number, or any government-issued ID.
• We do not access your device contacts, camera, microphone, or location.
• We do not use cookies for advertising or cross-site tracking.
• We do not integrate Facebook Pixel, Google Analytics, or any third-party advertising SDK.
• We do not build behavioural profiles, use engagement-maximising algorithms, or sell data to any party.

5. How We Use Your Information

We do not use your data for advertising, behavioural profiling, or sell, license, or otherwise transfer it to any third party, except as required by law (see Section 9).

6. Data Storage & Security

All user data is stored on Neon (serverless PostgreSQL) infrastructure with encryption at rest (AES-256) and in transit (TLS 1.3). Access to production databases is restricted to authenticated server-side processes only. No raw personal data is accessible from client-side code.

Real-time messaging is delivered via Ably, an encrypted publish-subscribe service. Message content in transit is encrypted between our server and the client.

We apply the principle of data minimisation: we collect only what is strictly necessary for the Platform to function. We conduct periodic security reviews and address identified vulnerabilities promptly.

⚠️ In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the incident and take all reasonable steps to contain and remediate it.

7. Anonymity Architecture

Veil's anonymity is enforced by architecture, not just policy. Here is exactly how:

• Your email address is stored in an isolated database column that is never joined to any public-facing query or API response visible to other users.
• Your anonymous identity (e.g., “Silent Moon”) is randomly generated at signup using a fixed word-pair algorithm. It cannot be changed, predicted, or reverse-engineered from your email address.
• Your self-reported batch, branch, and gender are shown on your anonymous profile — your email and real-name identifier are never exposed to any other user under any circumstances.
• The “Request Reveal” feature is strictly mutual: real identities are only shared when both parties independently consent. Neither party can be forced to reveal, and the feature cannot be used unilaterally.
• Group chats display only your batch and anonymous name — never your email or real-name identifier.
• Deleted messages are permanently and irrecoverably removed from our database within 24 hours.
• No API endpoint, admin panel export, or database query returns another user's email or real-name identifier.

8. Data Retention & Deletion

You can delete your account at any time directly from inside the app: Profile → Danger Zone → Delete Account. Once requested, your account enters a 7-day grace period during which it is frozen — you will receive no messages, no notifications, and you cannot be matched as a buddy. Signing in again with the same IIT email during this window fully restores your account. If you do not sign in within 7 days, an automated job permanently and irreversibly deletes all of your data — profile, posts, comments, votes, messages, group memberships, push subscriptions, and ban history. For the complete list of what is deleted (and the small set of de-identified data we are legally required to retain), see our Account Deletion page.

If you cannot access the app (lost device, forgot which email you used), email support@veiliit.app from your registered IIT email address and we will process the deletion within 7 business days.

9. Disclosure of Information

We will not sell, trade, rent, or voluntarily disclose your personal information to any third party. The only circumstances under which we may disclose information are:

• Valid Legal Process. Disclosure in response to a valid court order, subpoena, or direction from a competent authority under Indian law. We will notify affected users unless prohibited by the order itself.
• Imminent Physical Threat. Where we have a reasonable and credible belief that disclosure is necessary to prevent imminent physical harm or death to a specific person, and law enforcement has been contacted.
• Aggregated Statistics. Fully anonymised, non-identifiable statistical data (e.g., total user counts) may be shared publicly to demonstrate platform health. No individual user is ever identifiable from such data.

We will resist and legally challenge any overbroad, unlawful, or disproportionate demands for user data from any authority.

10. Children's Privacy

Veil is intended exclusively for enrolled students of IITs and is therefore designed for users who are at least 17 years of age. We do not knowingly collect personal data from children under 13 years of age. If we become aware that a user under 13 has provided personal data, we will delete that data promptly. If you believe a minor has registered on the Platform, contact us at support@veiliit.app.

11. Your Rights

As a user of Veil, you have the following rights with respect to your personal data:

• Right of Access. Request a copy of the personal data we hold about you.
• Right to Rectification. Correct inaccurate self-provided profile information (batch, branch, bio) at any time from within the app.
• Right to Erasure. Delete your account at any time from Profile → Danger Zone in the app. After a 7-day grace period (during which signing back in cancels the deletion), all of your data is permanently and irreversibly purged by an automated job. See our Account Deletion page for full details.
• Right to Withdraw Consent. Cease use of the Platform and request account deletion at any time. Withdrawal does not affect the lawfulness of processing that occurred prior to withdrawal.
• Right to Restrict Processing. Request that we limit how we use your data in specific circumstances (e.g., while a dispute is being investigated).
• Right to Complain. Lodge a complaint with the appropriate data protection or consumer protection authority in your jurisdiction if you believe your rights have been violated.

To exercise any of these rights, email support@veiliit.app from your registered IIT email address. We will respond within 30 days.

12. Governing Law & Dispute Resolution

This Policy and any dispute arising from your use of the Platform shall be governed by the laws of India, including the Information Technology Act, 2000 and rules made thereunder. Any disputes shall be subject to the exclusive jurisdiction of the courts at Kanpur, Uttar Pradesh, India.

This Policy may be updated periodically to reflect changes in law, technology, or our practices. Material changes will be communicated via in-app notification at least 7 days before taking effect. Continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the changes.

13. Contact Us

For privacy-related queries, data deletion requests, consent withdrawal, or security disclosures: