Privacy Policy
Table of Contents
- Introduction
- Information We Collect
- How We Use Your Information
- Our Core Privacy Guarantee
- How We Protect Your Information
- Information Sharing and Disclosure
- Data Retention
- Your Rights
- Children's Privacy
- Push Notifications
- SMS and Email Communications
- Cookies and Tracking
- Changes to This Policy
- Contact Us & Grievance Officer
1. Introduction
Init ("we," "us," "our") operates the Init mobile application (the "App"), a mutual interest matching platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the App.
By creating an account or using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.
Contact: privacy@initmatch.com
Address: Om Chambers, 648/A, 4th Floor, Binnamangala 1st Stage, Indiranagar, Bengaluru — 560038, Karnataka, India
2. Information We Collect
2.1 Information You Provide Directly
- Phone number — used for registration and OTP verification.
- Email address — used for registration or linking to your profile.
- Date of birth — collected at registration for age verification (must be 18+).
- Password — stored as a secure hash; never stored in plain text.
- Username (Init ID) — a unique identifier you choose after registration.
- Social media profile URLs — optionally linked to your profile (Instagram, Facebook, LinkedIn, Snapchat).
- Interest expressions — the people you express interest in (phone, email, username, or social link) and the categories you select.
- Messages — content you send in matched conversations.
2.2 Information Collected Automatically
- Device tokens — for delivering push notifications (via Firebase Cloud Messaging).
- IP address and basic request metadata — logged by our servers for security and abuse prevention. Not stored long-term.
2.3 Information from Third Parties
- Google Sign-In — if you register or log in with Google, we receive your Google account email address and display name. We do not receive your Google password.
3. How We Use Your Information
- Account creation and authentication — to create your account, verify your identity via OTP or Google Sign-In, and maintain your session.
- Mutual interest detection — to determine whether two users have expressed reciprocal interest in each other. Your interest expressions are never visible to anyone unless the other person has also expressed interest in you. This is a core privacy guarantee of the App.
- Identity resolution across platforms — to match interest expressions made via phone number, email, username, or social media link to the correct user.
- Post-match communication — to enable real-time messaging between mutually matched users.
- Notifications — to notify you of new matches and messages via push notifications and in-app alerts.
- Age verification — to confirm you meet our minimum age requirement of 18 years.
- Safety and security — to protect against fraud, unauthorized access, and abuse of the platform.
- Service improvement — to maintain, troubleshoot, and improve the App's functionality.
4. Our Core Privacy Guarantee
Init is built around one fundamental principle: your interest in someone is never revealed unless it is mutual.
When you express interest in another person through the App:
- Your interest record is stored in encrypted form.
- The other person is not notified of your interest.
- Only when the other person independently expresses interest in you — with at least one overlapping interest category — are both parties notified of the match.
- If the interest is not mutual, the target person never learns that you expressed interest.
This privacy invariant is enforced at the code level and is central to how Init works.
5. How We Protect Your Information
5.1 Encryption at Rest
All personally identifiable information (PII) is encrypted using AES-256-GCM before being stored in our database. This includes phone numbers, email addresses, and social media profile URLs. Each encrypted field uses a unique initialization vector (IV) and authentication tag.
5.2 Hashed Lookups
For matching and duplicate-detection purposes, we store HMAC-SHA256 hashes of phone numbers and email addresses. These hashes allow us to detect matches without decrypting stored data, minimizing exposure of plaintext PII.
5.3 Encryption in Transit
All data transmitted between the App and our servers is encrypted using TLS 1.2 or higher. WebSocket connections for real-time messaging also use encrypted transport.
5.4 Secure Token Storage
Authentication tokens are stored in platform-specific secure storage — Android Keystore on Android and iOS Keychain on iOS.
5.5 Biometric Authentication
You may optionally enable biometric authentication (fingerprint or Face ID) for app access. Biometric data is processed entirely on your device and is never transmitted to our servers.
6. Information Sharing and Disclosure
6.1 We Do Not Sell Your Data
Init does not sell, rent, or trade your personal information to third parties. We never have and never will.
6.2 What We Share With Matched Users
When a mutual match is detected, we share the following with the matched user:
- Your display name
- Your username (Init ID)
- The overlapping interest categories
- Messages you send in the matched conversation
We never share your phone number, email address, social media links, non-mutual interest expressions, or date of birth with matched users.
6.3 Third-Party Service Providers
We use the following third-party services to operate the App. These providers process data on our behalf and are prohibited from using your data for their own purposes.
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database, email delivery (SES) | All app data (stored on AWS infrastructure); email address for OTP/notifications |
| Google Firebase | Push notifications (FCM) | Device push token |
| Google Sign-In | Authentication | Google account email and display name (on login only) |
6.4 Legal Requirements
We may disclose your information if required to do so by law or in good faith belief that such action is necessary to comply with a legal obligation or court order, protect and defend our rights or property, prevent or investigate possible wrongdoing, or protect the personal safety of users or the public.
7. Data Retention
We retain your personal data for as long as your account is active. When you delete your account:
- Your account enters a 30-day grace period during which you can reactivate it.
- After 30 days, all your data is permanently and irreversibly deleted — including your profile, social links, interest records, chat messages, match records, and notifications.
8. Your Rights
8.1 All Users
- Access — request a copy of the personal data we hold about you.
- Correction — update inaccurate or incomplete personal data via your profile settings.
- Deletion — delete your account and all associated data at any time from Profile → Delete Account.
- Withdraw consent — unlink optional social media accounts at any time.
8.2 Indian Users — Digital Personal Data Protection Act, 2023 (DPDP)
Init is a Data Fiduciary under the DPDP Act, 2023. You are the Data Principal. We process your personal data only for the purposes described in this policy and only with your consent, which you provide by accepting our Terms of Service and Privacy Policy at registration.
8.2.1 Your Rights Under the DPDP Act
- Right to information about processing (Section 11) — you may request a summary of the personal data we hold about you and the processing activities we have carried out or are carrying out with that data.
- Right to correction and erasure (Section 12) — you may request correction of inaccurate or incomplete personal data, and erasure of personal data that is no longer necessary for the purpose for which it was collected or if you have withdrawn your consent.
- Right to grievance redressal (Section 13) — you may raise a grievance with our Grievance Officer (see Section 14). We will acknowledge receipt within 48 hours and resolve it within 30 days.
- Right to nominate (Section 14) — you may nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity. To register a nominee, contact our Grievance Officer.
8.2.2 Consent and Purpose
Under Section 6 of the DPDP Act, we provide the following consent notice:
- What data we collect: phone number or email address, display name, date of birth, and optionally social media profile links.
- Why we collect it: to create your account, verify your identity, detect mutual interest matches, enable post-match messaging, and send account-related notifications.
- How to withdraw consent: delete your account via Profile → Delete Account. Account deletion is the withdrawal of consent under the DPDP Act. Upon deletion, your data will be permanently erased within 30 days per our retention policy.
8.2.3 Data Breach Notification
In the event of a personal data breach that is likely to cause harm to you, we will notify the Data Protection Board of India and affected users as required under Section 8(6) of the DPDP Act. Notification will be made without undue delay and will describe the nature of the breach, the data affected, and the steps we are taking to address it.
8.2.4 Cross-Border Data Transfers
Your personal data is processed on servers located in the United States (AWS us-east-1). Cross-border transfers are subject to Section 16 of the DPDP Act. We will comply with any restrictions on cross-border data transfers that the Government of India notifies under the Act. If transfer restrictions affect our ability to store data outside India, we will migrate to India-based infrastructure and update this policy accordingly.
8.3 EEA, UK, and International Users (GDPR)
If you are located in the EEA or UK, you additionally have the right to data portability (receive your data in a machine-readable format), restriction of processing, the right to object, and the right to lodge a complaint with your local data protection authority.
Legal basis for processing: account operations and matching are performed on the basis of contractual necessity; safety and security on the basis of legitimate interest.
International data transfers: your data is processed on servers in the United States (AWS us-east-1). For transfers from the EEA/UK, we rely on AWS's Standard Contractual Clauses (SCCs).
9. Children's Privacy
Init is strictly for users aged 18 and older. We require date of birth verification at registration. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that a user is under 18, we will immediately terminate their account and delete all associated data.
If you believe a minor is using the App, please contact us at privacy@initmatch.com.
10. Push Notifications
You may receive push notifications for new mutual matches and new messages from matched users. You can disable push notifications at any time through your device settings. Disabling notifications does not affect the core functionality of the App.
11. SMS and Email Communications
We send SMS messages and emails only for transactional purposes: one-time passwords (OTP) for account verification and match notifications. We do not send marketing messages via SMS or email. By registering with a phone number or email, you consent to receiving verification codes necessary for account security.
12. Cookies and Tracking
The Init mobile app does not use cookies or web-based tracking technologies. We do not use third-party analytics SDKs, advertising trackers, or pixel tags in the App. See our Cookie Policy for details on how our website uses browser storage.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via an in-app notification and update the "Last Updated" date at the top of this page. Continued use of the App after notification constitutes your acceptance of the updated policy.
14. Contact Us & Grievance Officer
14.1 General Privacy Inquiries
For questions, concerns, or requests regarding this Privacy Policy or your personal data:
- Email: privacy@initmatch.com
- Subject line: "Privacy Inquiry — [Your Username]"
We will respond to all privacy-related inquiries within 30 days.
14.2 Grievance Officer (India — DPDP Act 2023 & IT Act 2000)
In accordance with the Digital Personal Data Protection Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Init has designated a Grievance Officer for India:
- Name: Bipin Bettadalli Neelakanta
- Designation: Grievance Officer
- Email: privacy@initmatch.com
- Postal address: Om Chambers, 648/A, 4th Floor, Binnamangala 1st Stage, Indiranagar, Bengaluru — 560038, Karnataka, India
- Response time: Acknowledgement within 48 hours; resolution within 30 days of receipt
You may contact the Grievance Officer to exercise your rights under the DPDP Act (access, correction, erasure, nomination), to report a privacy concern, or to raise any grievance related to the processing of your personal data. If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India once it is constituted.