Privacy Policy

1. Data Roles

• For account, verification, security, dashboard, community, support, grievance, tool-usage analytics and platform administration data, Investigation Camp acts as a Data Fiduciary/controller because it determines the purpose and means of processing.
• For case or investigation files processed only within the user's browser and not transmitted to Investigation Camp, Investigation Camp generally acts as a tool provider and may not receive or store the raw content.
• For server-side features, controlled links, uploads, external APIs, AI workflows or optional cloud workflows, the applicable tool-specific notice should explain the processing mode, purpose and retention.
• The user and the user's department/unit remain responsible for ensuring that case/evidence data is lawfully obtained, lawfully processed, confidentially handled and used under applicable law and procedure.

2. Categories of Data We May Collect

Category	Examples
Account and identity data	Name, email, mobile number, gender, password hash, registration IP, profile photo, designation/rank, state, district, police station/unit, joining year and preferences.
Verification data	Government email checks, OTP logs, profile completion status, admin verification status, police ID/proof images where enabled and approval/rejection records.
Technical and security data	IP address, user-agent, browser, operating system, device type, session ID, login timestamps, failed login attempts, lockouts, rate limits and audit events.
Tool usage data	Tool key, sessions, page views, active seconds, uploads count, searches count, lookups count, records processed count, export count, error count and aggregated metrics.
Investigation/query data	Files, numbers, IPs, domains, IFSCs, coordinates, templates, case references or selected text entered into a tool, depending on the tool's processing mode.
Community and communications	Posts, chats, comments, success stories, feedback, support emails, grievance details and attachments voluntarily provided.
Location and permission-based data	GPS/geolocation only after browser/device permission or tool consent flow; IP-based approximate location for security or consent-link operation.
Controlled link/session data	Link ID, case reference entered by user, timestamps, IP, user-agent, referrer, device/browser hints, consent mode, permission status and GPS coordinates if permitted.
Payment/support data if enabled	Contributor name/contact, transaction reference, amount, date, payment provider response and legally required accounting records.

3. Data We Do Not Intentionally Collect

• The Platform does not intentionally collect browser-saved passwords, banking passwords, private OTPs, full browser history, installed application lists, SIM IMSI, hidden device identifiers or contacts from a visitor's device unless a specific lawful feature clearly requests a permitted data field.
• Aadhaar-related utilities, where provided, are intended for validation/format/checksum assistance only and do not claim UIDAI demographic lookup or identity verification unless separately and lawfully integrated.
• The Platform should not claim that a web link can capture IMEI, saved passwords, browser history or hidden account identity.
• Location, camera, microphone, clipboard or similar permission-based data must be collected only after clear user/visitor action and browser/device permission.

4. Why We Use Data

• To create, verify, secure and manage accounts and professional access.
• To provide tools, dashboards, reports, exports, templates, community features, support and service communications.
• To prevent unauthorised access, impersonation, abuse, scraping, data leakage, attacks and misuse of investigation tools.
• To maintain audit logs for platform safety, incident response, verification, abuse review and lawful accountability.
• To improve tools, fix bugs, measure performance, prioritise features and understand aggregated usage patterns.
• To comply with legal obligations, respond to valid legal requests, enforce Terms, protect rights and handle grievances.

5. Legal Bases and Lawful Grounds

• Processing may be based on consent, voluntary disclosure by the user, performance of Platform services, legitimate platform/security needs, legal obligation, grievance handling or lawful investigation/prosecution-related requirements.
• Where consent is the basis, users may withdraw consent for future processing, subject to technical feasibility, legal retention duties, security requirements and consequences of withdrawal.
• Users must provide authentic information while exercising privacy rights and must not use privacy rights for false, frivolous or impersonated requests.

6. Client-side Tool Processing

• Where a tool is marked or designed as client-side/browser-side, uploaded files may be read and processed locally in browser memory and may use localStorage, IndexedDB or temporary browser cache.
• Such files are not intentionally uploaded to Investigation Camp servers by that tool unless the user uses a feature that sends data outside the browser, such as cloud processing, external API enrichment, sharing, email, server-side conversion, admin review or support upload.
• Users should verify tool behaviour through browser DevTools Network/XHR/Fetch requests and Application storage before using sensitive case data.
• Users should clear browser storage, logout and use secure devices when working with sensitive investigation data.

7. Server-side and Temporary Processing

• Some tools may process selected data on a server where browser-only processing is not practical, such as OCR, AI extraction, large file parsing, authenticated APIs, dashboard persistence, email generation or secure admin workflows.
• Server-side tools should collect only minimum necessary data and delete temporary processing files according to the applicable retention schedule unless the user saves the output or legal/security needs require retention.
• Where the Platform cannot support a file type, file size, batch size, encrypted document, corrupted file, unusual format or browser limitation, the tool may fail, limit processing or require a local/desktop workflow.

8. Third-party Services and APIs

• The Platform may use third-party services for hosting, DNS/CDN/security, email/OTP delivery, maps, IFSC/bank lookup, AI APIs selected by the user, analytics/error logs, payment processing if enabled and other operational needs.
• Only data necessary for the selected function should be shared. Examples include IFSC code for bank lookup, coordinates for maps, recipient email for OTP, IP/domain for enrichment, or selected text/files for AI processing when the user chooses that feature.
• Third-party providers may have their own terms, privacy policies, retention practices and infrastructure locations. Users should avoid sending sensitive case material to external APIs unless they have authority and understand the risk.

9. Cookies, Local Storage and Sessions

• The Platform may use cookies, secure session tokens, localStorage and IndexedDB for login status, preferences, tool state, offline/client-side processing, security, remember-me features and dashboard functionality.
• Authentication cookies should use secure practices such as HttpOnly, SameSite and Secure flags where applicable, and sessions should be time-limited.
• Clearing browser storage may remove local tool history, preferences, unfinished analysis, cached models, IndexedDB records or session state.

10. Data Sharing and Disclosure

• Investigation Camp does not sell user personal data.
• Data may be shared with authorised Platform administrators, service providers, email/OTP providers, hosting/security providers, payment providers if enabled, legal advisors, auditors or competent authorities where required for security, support, service operation, compliance or abuse investigation.
• Community posts, public wall content, success stories or profile fields may be visible to other users or the public depending on feature settings. Users must not post confidential or personal case data.
• Data may be disclosed where required by law, valid legal process, court order, competent authority request, cybersecurity incident response, user safety, fraud prevention, IP enforcement or Platform protection.

11. Data Retention

Retention depends on feature design, legal requirement, security risk, user settings and operational need. The schedule below should be implemented in code and tool-level notices.

Data category	Recommended retention / handling
Client-side raw files	Not retained by Investigation Camp where processed only in the browser; may remain in browser memory/localStorage/IndexedDB until cleared by the user or tool.
Server-side temporary processing files	Delete automatically after processing, preferably within 24-72 hours, unless saved by user or required for legal/security reasons.
Account profile and verification data	Retain while account is active and as needed for verification, security, support or legal compliance; delete/anonymise after confirmed deletion where permitted.
Profile / police ID images	Restrict access; retain only as needed for verification, re-verification, abuse prevention and compliance; delete files on account deletion where code supports it.
OTP/password reset records	Retain for a limited security period unless abuse/security investigation requires longer; expired or used records should be purged on a schedule.
Security/audit logs	Retain for incident response and abuse prevention, such as at least one year where required by DPDP Rules or longer where law, legal claim, misuse or departmental need requires.
Tool usage analytics	Retain aggregated/metric data for product improvement and abuse detection; avoid storing raw case content in analytics.
Community posts / success stories	Retain until user deletes, admin removes, account closes or moderation/legal needs require retention.
Controlled link captures	Retain only as needed for lawful case-linked purpose, user export, audit and legal requirements; provide expiry and deletion controls where practical.
Payment/donation records	Retain as required by accounting, tax, audit and legal obligations.

12. Account Deletion and Data Rights

• Users may request access, correction, update, consent withdrawal, account deletion, erasure, grievance redressal and nomination, subject to applicable law and identity verification.
• The current platform supports self-service account deletion for non-admin users after confirmation. It deletes users, profile data, posting history, OTPs, password history, selected subscriptions/access rows and profile/ID image files where present.
• The deletion flow also retains or updates selected audit log snapshots to record account deletion and prior activity. This is appropriate for security, abuse prevention and accountability when kept limited and access-controlled.
• Admin accounts should not be deleted through ordinary self-service flows and may require administrator or legal review.
• Privacy requests may be sent to support@investigationcamp.in. Investigation Camp should respond within the legally applicable period and, under the DPDP Rules 2025, target a maximum of 90 days for applicable access/correction/update/erasure requests.

13. Security Safeguards

• The platform includes reasonable safeguards such as HTTPS/security-header support, HttpOnly/SameSite/Secure cookie settings, CSRF tokens, Argon2id password hashing, failed-login lockouts, session regeneration, rate-limit logging, input validation, output encoding, role-based checks and audit logs.
• Security should continue to include server hardening, restricted admin access, encrypted backups where used, secrets in environment variables, least-privilege database access, upload validation, vulnerability review and incident-response procedures.
• No digital platform can guarantee absolute security. Users must also use secure devices, updated browsers, strong passwords, careful file handling, logout discipline and departmental security practices.
• Users should report vulnerabilities responsibly and must not exploit or publicly disclose weaknesses before a reasonable remediation opportunity.

14. Personal Data Breach Handling

• If Investigation Camp becomes aware of a personal data breach affecting Platform-controlled personal data, it will assess the incident, contain risk, preserve relevant logs, take corrective steps and notify affected users and competent authorities where required by applicable law.
• Notices should include what happened, categories of data affected, likely consequences, mitigation steps, contact information and recommended user action.
• For data processed only locally in a user's browser and never transmitted to the Platform, the user and department/unit remain responsible for device-level security, storage, sharing and incident response.

15. Children and Public Awareness

• Restricted Platform accounts are not intended for children or minors.
• Public cyber-awareness content may be suitable for general education, but collection of children's personal data should be avoided unless lawful, necessary and supported by verifiable parent/guardian consent where required.
• Training sessions or awareness activities should avoid collecting unnecessary personal details from students or members of the public.

16. Consent-based, Location-based and Controlled Link Features

• Features that collect location, device/browser hints or visitor session data must be used only for lawful, case-linked, authorised and proportionate purposes.
• If a feature offers consent modes, users must select the mode appropriate to lawful authority, operational need, platform instructions and privacy risk.
• GPS/geolocation requires browser/device permission and may be inaccurate, denied, spoofed, unavailable or limited by device/network/browser settings.
• Consent screens should clearly state what may be collected and must not claim hidden collection of IMEI, saved passwords, browser history or secret identity.

17. International Transfers

• Some providers may process data outside India depending on hosting, email, security, API, map, AI or payment infrastructure.
• Investigation Camp should use reasonable safeguards and avoid transfers restricted by applicable Indian law or government notification, where applicable.
• Users should not send sensitive case material to external services unless they have authority and understand cross-border processing risk.

18. Changes to This Privacy Policy

• Investigation Camp may update this Privacy Policy to reflect legal changes, new tools, architecture changes, security improvements, platform migration, feature additions or operational needs.
• Material changes should be communicated through the website, dashboard, email or in-app notice where feasible.
• Continued use after publication of updated terms/policy indicates acceptance of the updated document, subject to rights available under applicable law.

19. Privacy and Grievance Contact