Privacy policy

PennyDrive is an Indian cloud storage service. This policy explains what personal data we collect, why we collect it, how we protect it, and the rights you have under India's Digital Personal Data Protection Act, 2023 ("DPDP Act").

1. Who we are

PennyDrive is operated as a proprietorship based in Mumbai, Maharashtra, India. For the purposes of the DPDP Act, we are the Data Fiduciary responsible for your personal data.

If you have any questions about this policy or how we handle your data, contact us at support@pennydrive.in.

2. What we collect

From Google Sign-In

Your email address (verified by Google)
Your display name (the name on your Google account)
A Google-issued user identifier ("sub") that lets us recognise your account on return visits

We do not receive your Google password, contacts, calendar, or any Google account data beyond the three items above.

From your use of the app

File metadata — filename, file size, SHA-256 hash, folder structure, upload and archive timestamps. We need this to list your files, show folder sizes, and detect duplicates.
Device information — device name, device type (Android), IP address, and session activity, used for session management and so you can remotely log out devices.
Usage logs — API request timestamps and error records used for security monitoring and service operation.
Billing records — subscription state, plan choice, billing cycle, and invoice history. Actual card or UPI credentials are handled entirely by our payment processor; we never see or store them.

What we never collect

Your file contents. Files are encrypted on your device before upload. We cannot read them, search them, or share them.
Your location beyond the IP address attached to a sign-in event.
Contacts, SMS, microphone, camera (outside the file picker), or any data from other apps.

3. Why we collect it (purposes & legal basis)

What	Why	Legal basis
Email, display name, Google sub	Create and identify your account; send transactional notifications (retrieval ready, billing receipts, security alerts)	Performance of contract
File metadata	Operate the storage service — list files, enforce quotas, dedupe, archive, retrieve	Performance of contract
Device + session info	Keep your account secure; let you review active sessions	Legitimate interest (security)
Usage logs	Detect abuse, investigate incidents, fix bugs	Legitimate interest (security and service quality)
Billing records	Process subscriptions, issue GST invoices, handle refunds	Performance of contract and legal obligation (tax)

You grant consent for these purposes when you complete the onboarding consent screen. You can withdraw consent for non-essential processing at any time from the app's Account → Privacy & data screen.

4. Where your data is stored

All personal data and file metadata is stored in the India region. Files themselves are held in active storage when recently uploaded and moved to cold (archive) storage when you choose to archive a folder. Both active and cold storage are located within India.

Data is encrypted at rest using AES-256 and transmitted over TLS 1.2 or higher. Files are additionally encrypted on your device before upload, meaning the bytes we hold cannot be read by us.

5. Who we share it with

We do not sell your data. We do not share it for advertising. We share strictly limited information with the following processors who help us operate the service:

Google — for sign-in only. Google receives no data from PennyDrive other than what you already share by signing in with your Google account.
Razorpay — our payment processor. We share your email and subscription details so they can process payments and issue invoices. Your payment credentials (card, UPI, bank) go directly to Razorpay; we never see them.
Amazon Web Services (AWS) & Firebase — our infrastructure providers for India-region hosting and push notifications. They process data on our behalf under contractual safeguards.

We may disclose information if legally compelled to do so (court order, government request under applicable law). Where legally permitted, we will notify you before doing so.

6. How long we keep it

While your account is active: we retain your data for as long as the account exists.
After account deletion: when you delete your account, we begin a 30-day purge. All files, thumbnails, metadata, and profile information are permanently removed within 30 days. This window exists for safety (accidental deletion recovery) and to complete any outstanding billing reconciliation.
Billing records: invoices and payment records are retained for 8 years after account deletion, as required by Indian tax law.
Security logs: retained for 90 days, then deleted.

7. Your rights under the DPDP Act

As a Data Principal, you have the right to:

Access — request a copy of the personal data we hold about you
Correct — ask us to correct inaccurate or outdated data
Erase — request deletion of your data, subject to legal retention requirements
Withdraw consent — turn off non-essential processing (e.g. push notifications, usage analytics) at any time
Nominate — nominate someone to exercise your rights in case of your death or incapacity
Grievance redressal — raise a complaint with our grievance officer (see section 10) or, if unresolved, with the Data Protection Board of India

To exercise any of these rights, use the in-app controls in Account → Privacy & data, or email support@pennydrive.in. We respond within 30 days.

8. Security & breach notification

We use industry-standard security: TLS in transit, AES-256 at rest, encrypted session tokens stored on your device's secure keystore, rate limiting, and automated monitoring for suspicious activity.

If we suffer a personal data breach that risks harm to you, we will notify you and the Data Protection Board of India within 72 hours, in accordance with the DPDP Act.

9. Children

PennyDrive is intended for users aged 18 and above. You confirm your age at sign-up. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will remove the account and associated data.

10. Grievance officer

PennyDrive Grievance Officer
Mumbai, Maharashtra, India
Email: pennydrive.2026@gmail.com

In accordance with the DPDP Act, the grievance officer is available to address concerns regarding the processing of your personal data. We aim to respond to grievances within 7 working days and resolve them within 30 days.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll notify you in-app and by email before the changes take effect. The version number and "last updated" date at the top of this page always reflect the current version.

12. Contact

General support: support@pennydrive.in

Grievance officer: pennydrive.2026@gmail.com