Privacy Policy

How we collect, use, and protect your personal data

Last updated: March 8, 2026Effective: March 8, 2026

Your Aadhaar number is NEVER stored. We are fully compliant with India's DPDPA 2023, IT Act 2000, and SPDI Rules 2011. We never sell your data.

1. Overview & Who We Are

This Privacy Policy ("Policy") describes how Milanse Private Limited ("Milanse", "we", "us", "our"), the owner and operator of the Milanse matrimonial platform ("Platform"), collects, uses, stores, discloses, and protects your personal data when you access or use our website, mobile application, or any related services. This Policy is drafted in compliance with the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Intermediary Guidelines"), and all other applicable Indian laws.

By registering on or using the Platform, you consent to the collection, use, storage, and disclosure of your personal data as described in this Policy. If you do not agree, please do not use the Platform.

2. Data Fiduciary Details

Under the DPDPA 2023, Milanse Private Limited is the Data Fiduciary responsible for processing your personal data. Our Data Protection Officer and Grievance Officer details are provided in Section 21 of this Policy. All data processing is conducted within India or in jurisdictions that offer equivalent or greater data protection standards.

DetailInformation
Legal Entity NameMilanse Private Limited
Brand NameMilanse
Registered OfficeMumbai, Maharashtra, India
CIN[CIN — to be updated]
Data Protection Officerdpo@milanse.com
Grievance Officergrievance@milanse.com
General Legal Inquirieslegal@milanse.com

3. Personal Data We Collect

We collect personal data that you voluntarily provide during registration and use of the Platform, as well as data we collect automatically. Below is a comprehensive breakdown of the categories of personal data we collect:

CategoryData PointsPurpose
Identity & ContactFull name, date of birth, gender, phone number, email addressAccount creation, authentication, OTP delivery
Community & ReligionReligion, community (e.g., Gahoi Baniya), Gotra, Aakna, mother tongueMandatory community matching; Gotra auto-exclusion enforcement
Personal DetailsHeight, weight, complexion, physical disability (optional), diet, smoking/drinking habitsProfile creation and partner preference matching
Education & CareerHighest education, field of study, institution, occupation, employer, annual income rangeMatch compatibility and partner preference filtering
LocationCurrent city, state, country; hometown; location coordinates (coarse, with permission)Location-based matching and privacy controls (city/state blocking)
Family DetailsFather's occupation, mother's occupation, family type, number of siblings, family valuesProfile completeness and compatibility matching
PhotosProfile photos, gallery photos (face-verified)Profile display; identity verification via face matching
Verification DocumentsDocument type selected (Aadhaar/Passport/OCI/PAN); document images for OCR (processed in memory only)Identity verification before profile goes live
Biometric DataSelfie image (stored permanently as identity anchor); facial comparison scoresLive selfie verification; ongoing photo authenticity checks
Partner PreferencesAge range, height range, education, income, location, community, lifestyle preferencesAI-powered matching and search filtering
Behavioral & UsageSearch queries, profiles viewed, interests sent/received, messages sent, login times, feature usageMatch recommendations, seriousness scoring, analytics, fraud prevention
TechnicalIP address, device fingerprint, browser/OS type, app version, session tokensSecurity, rate limiting, fraud detection, session management
PaymentTransaction ID, subscription plan, payment status (no card/UPI details stored — handled by Razorpay)Subscription management and billing records

4. Aadhaar & KYC Data — Critical Disclosure

IMPORTANT: Milanse NEVER stores your Aadhaar number. We process it only in encrypted memory during verification and immediately discard it. Only a one-way salted SHA-256 hash is retained for the sole purpose of preventing duplicate registrations.

Aadhaar-based verification is conducted exclusively through DigiLocker's secure, UIDAI-authorised API or through Surepass's Aadhaar eKYC service. Your Aadhaar XML/data and the 12-digit Aadhaar number are processed in temporary memory only — they are never written to disk, never logged, and never stored in our database. The only artefact stored is a one-way salted SHA-256 cryptographic hash of your Aadhaar number, which cannot be reversed to obtain your actual number. This hash is stored solely to detect and prevent the same person from creating multiple accounts, as required for platform integrity. We strictly comply with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and all UIDAI guidelines. We do not use Aadhaar data for any purpose other than verifying your identity as required by the Platform's trust-first mandate.

Alternative Verification Documents

Users who do not have or do not wish to use Aadhaar may alternatively verify their identity using Passport, OCI Card, or PAN Card. In these cases, the document images are processed through our secure OCR pipeline, relevant fields are extracted and cross-checked against your profile, and the document images are stored in encrypted form on Cloudflare R2 solely for the duration required for manual review by our team. Once verification is complete, document images are archived in a restricted-access encrypted vault and are not used for any other purpose.

5. Biometric & Photo Data

Under the SPDI Rules 2011, biometric data — including facial images used for identity purposes — constitutes Sensitive Personal Data or Information (SPDI). We handle this data with the highest level of care:

  • Selfie Verification: During the verification process, we capture a live selfie which is processed by AWS Rekognition to confirm liveness and match against your submitted identity documents. The verified selfie is stored permanently as your "identity anchor" at a restricted access path and is NEVER deleted, even if you delete your account — this is to prevent the same person from re-registering with a new identity after being rejected.
  • Photo Processing: All profile and gallery photos are processed through AWS Rekognition for: (a) single-face detection to confirm only your face is in the photo, (b) NSFW content moderation to detect and reject inappropriate imagery, and (c) face comparison against your verified selfie to confirm it's truly you (threshold: 85% confidence).
  • No Biometric Templates: We do not store facial recognition templates, embeddings, or biometric templates. Only the original image files are stored. AWS Rekognition processes images and returns comparison scores; it does not store templates on our behalf.
  • Watermarking: All photos served through the Platform are watermarked with a dynamic overlay to prevent misuse and unauthorised distribution.
  • Storage: All photos are stored on Cloudflare R2 (encrypted at rest) and served via Cloudflare CDN with access controls.

6. Sensitive Personal Data or Information (SPDI)

Under the IT (SPDI) Rules 2011, the following categories of your data constitute Sensitive Personal Data or Information (SPDI), and we treat them with heightened protection and require your explicit consent for collection:

  • Biometric data (selfie, face matching scores)
  • Health and physical disability information (if voluntarily disclosed)
  • Financial information (income range — only stored in bucketed/non-precise form)
  • Sexual orientation (not explicitly collected; marital intent is the platform's purpose)
  • Religious beliefs and community affiliation (Gotra, Aakna, religion)

You may withdraw your consent for SPDI collection at any time by deleting your account, subject to our data retention obligations under applicable law. Withdrawal of consent may prevent you from using the Platform, as verification is mandatory for all users.

8. How We Use Your Information

We use your personal data for the following specific purposes:

  • Account creation, authentication, and session management
  • Mandatory identity verification (Aadhaar KYC / document verification / selfie liveness check) before your profile goes live
  • Building and displaying your matrimonial profile to other verified users (subject to your privacy settings)
  • Operating our AI-powered compatibility scoring and recommendation engine
  • Enforcing Gotra auto-exclusion — same-gotra profiles are permanently excluded from your search results and recommendations at the database level
  • Enabling messaging, interest expressions, and other interactive features between verified users
  • Sending transactional notifications via SMS (MSG91), email (Resend/SES), push notifications, and WhatsApp Business (opt-in only and with pre-approved templates)
  • Processing payments for premium subscriptions through Razorpay
  • Computing your Seriousness Score (a platform-internal trust indicator based on login frequency, response rate, profile completeness, and verification level — shown only to other users as a label like 'Highly Active')
  • Detecting and preventing fraud, fake profiles, and abuse
  • Complying with legal obligations and responding to lawful government requests
  • Improving the Platform through aggregated, anonymised analytics
  • Sending service communications (verification status updates, subscription renewal reminders, policy changes)

9. Information Sharing & Disclosure

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes. We share your data only in the following circumstances:

With Other Verified Users

Your visible profile information (name, age, photos, community details, education, location) is shared with other verified users of the Platform, subject to your privacy settings. You can hide your profile from specific cities/states, control photo visibility, and browse anonymously.

With Service Providers

We engage the following third-party service providers under strict data processing agreements:

  • -Razorpay (India) — Payment processing. Only transaction metadata is shared; Razorpay handles all card/UPI/bank data directly.
  • -Surepass / DigiLocker — Aadhaar eKYC verification. Only the verification request is transmitted; no Aadhaar data is returned to or stored by us.
  • -AWS Rekognition (Amazon Web Services) — Photo processing (face detection, comparison, NSFW moderation). Only image data is transmitted; no biometric templates are stored by AWS on our behalf.
  • -MSG91 — SMS OTP delivery. Only your phone number is shared for OTP transmission.
  • -Resend / AWS SES — Transactional email delivery. Only your email address and message content are shared.
  • -Cloudflare — CDN delivery and DDoS protection. Cloudflare may process your IP address per their privacy policy.
  • -WhatsApp Business API — Notification delivery (opt-in only). Only your phone number and pre-approved message content are shared.

With Law Enforcement & Government Authorities

We may disclose your personal data to government authorities, courts, or law enforcement agencies where required by law, court order, or government direction under the IT Act, DPDPA 2023, or any other applicable Indian law. We will notify you of such disclosures to the extent permitted by law.

In Case of Business Transfer

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will notify you before your personal data becomes subject to a different privacy policy.

With Your Explicit Consent

We may share your data with any other third party for purposes not covered above, only with your prior, explicit, and informed consent.

10. International Data Transfers

While we are an India-first platform and store the majority of your data within India, certain third-party service providers (such as AWS for Rekognition image processing and Cloudflare for CDN delivery) may process your data in jurisdictions outside India. We ensure that such transfers comply with the DPDPA 2023 and that adequate safeguards are in place, including contractual data processing agreements that require equivalent levels of data protection. You consent to such transfers by using the Platform.

11. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this Policy or as required by applicable law:

Data TypeRetention PeriodReason
Profile & account dataDuration of active accountService provision
Profile data after account deletion90 days (then permanently deleted)Dispute resolution window
Verified selfie imageIndefinitely (even after account deletion)Prevent re-registration after rejection/fraud
Aadhaar SHA-256 hash5 years after account deletionPrevent duplicate or fraudulent re-registration
Financial / payment records8 years after transactionGST compliance, IT Act Section 67C
Verification documentsDuration of manual review + 30 days after decisionAdmin review process
Income verification documents7 days after review decision (auto-deleted)Minimal retention as per sensitivity
Chat messagesDuration of active conversation (deleted when both parties delete)Service provision
Aggregated analyticsIndefinitely (fully anonymised)Product improvement
Fraud/abuse records5 years after incidentLegal protection, repeat offender detection

12. Your Rights Under DPDPA 2023

Under the Digital Personal Data Protection Act 2023, you have the following rights as a Data Principal:

Right to Access Information

You have the right to obtain a summary of your personal data that we process, the processing activities undertaken, and the identities of Data Fiduciaries and processors with whom we share your data. Submit access requests to dpo@milanse.com.

Right to Correction & Erasure

You have the right to correct inaccurate or outdated personal data and to erase your personal data where processing is no longer necessary or where you withdraw consent. You can update most data directly in your profile settings. For erasure requests (account deletion), visit Settings > Account > Delete Account.

Right to Grievance Redressal

You have the right to have your grievances addressed by our Grievance Officer within the timelines specified under the IT Intermediary Guidelines (within 15 days for acknowledgement, 30 days for resolution). Contact: grievance@milanse.com.

Right to Nominate

Under DPDPA 2023, you may nominate another individual to exercise your data rights on your behalf in the event of death or incapacity. Contact dpo@milanse.com to submit a nomination.

Right to Withdraw Consent

You may withdraw your consent to processing at any time. Withdrawal of consent will result in account deactivation, as verification and data processing are essential to operating the Platform. This does not affect the lawfulness of processing carried out before withdrawal.

How to Exercise Your Rights

Email dpo@milanse.com with your registered phone number, the right you wish to exercise, and any supporting information. We will acknowledge your request within 15 days and resolve it within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India (once constituted under DPDPA 2023).

13. Your Privacy Controls on the Platform

In addition to your statutory rights, the Platform provides granular, real-time privacy controls:

  • Profile Visibility: Hide your profile from search results entirely (go invisible) or hide from specific cities, states, or countries.
  • Anonymous Browsing: Browse profiles without appearing in their 'Recently Viewed' list.
  • Photo Privacy: Set photos to be visible to everyone, only to users you've mutually expressed interest in, or only to accepted connections.
  • Block Users: Block specific profiles from ever seeing or contacting you.
  • Contact Controls: Control who can send you interests and messages.
  • Notification Preferences: Granular control over SMS, email, push notification, and WhatsApp notification categories.
  • Data Download: Request a download of all your personal data from Settings > Account > Download My Data.
  • Account Deletion: Permanently delete your account and all associated data (excluding legally retained data) from Settings > Account > Delete Account.

14. Data Security

We implement reasonable security practices as required by Rule 8 of the SPDI Rules 2011 and industry best practices. Our security measures include:

No system is completely secure. While we take all reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify you and the appropriate authorities as required under applicable law.

  • Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3.
  • Encryption at rest: All data stored in our database (PostgreSQL) and file storage (Cloudflare R2) is encrypted at rest.
  • Secure session management: JWT-based authentication with short expiry, refresh token rotation, device-bound sessions, and concurrent session limits.
  • Rate limiting: All API endpoints are rate-limited to prevent brute force and abuse.
  • DDoS protection: Cloudflare provides network-layer DDoS protection.
  • Device fingerprinting: Unusual login patterns trigger re-authentication requirements.
  • Access controls: Internal access to user data is role-based and logged. Only authorised team members can access verification data.
  • Regular audits: We conduct periodic internal security reviews and vulnerability assessments.
  • Password hashing: Passwords are hashed using bcrypt with a cost factor of 12 before storage.

15. Cookies & Local Storage

We use cookies and browser local storage for essential platform functions. For full details, see our Cookie Policy. In summary: we do not use advertising or third-party tracking cookies. We only use essential (authentication, security, preferences) and analytics cookies (first-party, aggregated). You can manage cookie preferences in your browser settings, but disabling essential cookies will prevent you from logging in.

16. Children's Privacy

The Platform is strictly for adults. Users must be at least 18 years of age (females) or 21 years of age (males) per the eligibility requirements of Indian matrimonial law. We do not knowingly collect personal data from anyone under 18 years of age. If we discover that a user is under 18, we will immediately terminate their account, delete their data, and notify their guardian where possible.

If you believe a minor has created a profile on our Platform, report it immediately to grievance@milanse.com. We will take action within 24 hours.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. For material changes, we will provide at least 30 days' advance notice via in-app notification and email to your registered address. Continued use of the Platform after the effective date of the revised Policy constitutes acceptance of the changes. If you do not agree to the changes, you must stop using the Platform and may delete your account.

19. Grievance Officer (As Required by IT Rules 2011 & DPDPA 2023)

As required under Rule 5(9) of the IT (SPDI) Rules 2011 and the IT (Intermediary Guidelines) Rules 2021, we have appointed a Grievance Officer to address complaints and concerns related to your personal data:

Under the Consumer Protection Act 2019, you also have the right to file a complaint with the National Consumer Disputes Redressal Commission (NCDRC) or the relevant State/District Consumer Forum for grievances arising from our services.

DetailInformation
Name[Grievance Officer Name — to be updated]
DesignationGrievance Officer & Data Protection Officer
OrganisationMilanse Private Limited
Emailgrievance@milanse.com
Response Time (Acknowledgement)Within 15 business days
Response Time (Resolution)Within 30 business days
EscalationData Protection Board of India (once constituted under DPDPA 2023)

20. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data:

PurposeContact
General privacy questionsprivacy@milanse.com
Data access / erasure requestsdpo@milanse.com
Grievances & complaintsgrievance@milanse.com
Legal & compliancelegal@milanse.com
Postal addressMilanse Private Limited, Mumbai, Maharashtra, India

This document was last updated on March 8, 2026. If you have questions about this document, please contact us at legal@matrimony.com.