Privacy Policy — Treasure Trove

1. Introduction

This Privacy Policy ("Policy") describes how Treasure Trove ("we," "us," or "our") collects, processes, stores, and protects personal data of users ("you") of the TreasureTrove.site platform.

This Policy applies to all personal data processed in connection with your use of our website, mobile experience, and related services. By registering on Treasure Trove, you acknowledge that you have read and understood this Policy.

We act as the Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023.

2. Data We Collect

2.1 Data You Provide Directly

Data	Why Collected	Required?
Full Name	Account identification and personalisation	Yes
Email Address	Account login, OTP verification, notifications	Yes
Date of Birth	Age gate verification (18+ requirement)	Yes
Username	Public display name on leaderboard	Yes
Country	Localised reward pricing, task availability	Yes
Password (hashed)	Account security — bcrypt (cost 12), never stored in plain text	Yes
PAN Number (encrypted)	TDS compliance — collected only when annual payouts exceed ₹10,000	Conditional
Profile Avatar	Profile personalisation — stored on platform server	No
Task Proof Images	Verifying task completion claims	Per-task
UPI ID / Bank Details	Processing cash payout redemptions (via Razorpay/Cashfree)	For UPI redemption

2.2 Data Collected Automatically

Data	Purpose
IP Address	Fraud prevention, rate limiting, country detection (via ip-api.com)
Session Data	Maintaining your login state securely
Login Timestamps	Security audit, session management
Transaction Logs	Coin earn/redeem history, dispute resolution
Postback Logs	Verifying offer wall completions, fraud detection

2.3 Consent Records

At registration, we record your consent decisions (account data, marketing, analytics) along with the consent version, timestamp, and IP address. This record is stored in our user_consents table as required by the DPDP Act 2023.

3. Legal Basis for Processing

Under the DPDP Act 2023, we process your personal data on the following grounds:

Consent: Where you have given explicit consent — e.g. marketing emails, analytics tracking. You may withdraw consent at any time via your Privacy Settings.
Contractual Necessity: Data required to provide the service — account creation, coin crediting, reward redemption.
Legal Obligation: PAN collection for TDS, transaction logs for regulatory compliance.
Legitimate Interests: Fraud prevention, platform security, and abuse detection — balanced against your rights.

4. How We Use Your Data

Account management: Creating and maintaining your account, verifying your identity.
Platform services: Crediting coins, processing redemptions, maintaining your transaction history.
Communication: Sending OTPs, account alerts, redemption updates, and (with your consent) marketing emails.
Fraud prevention: Detecting and preventing fraudulent activity, duplicate accounts, and coin manipulation.
Legal compliance: TDS processing, responding to law enforcement requests as required by Indian law.
Analytics (with consent): Understanding how users interact with the platform to improve features.
Leaderboard: Displaying a partially masked username (e.g. "Rahul K.") on the public leaderboard.

We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or significant effects on you without human review.

5. Third-Party Services

We use the following third-party services. Each operates under its own privacy policy:

Service	Purpose	Data Shared
PHPMailer / Mailgun	Transactional emails (OTP, redemption updates, alerts)	Your email address and name
Razorpay (RBI-licensed PA)	UPI and bank transfer payouts	UPI ID, name, PAN (if TDS applicable)
Cashfree Payments (RBI-licensed PA)	Alternative UPI/bank payout processor	UPI ID, name, PAN (if TDS applicable)
ip-api.com	Country detection at registration (GeoIP)	Your IP address (no personal data beyond IP)
Google reCAPTCHA v3	Bot protection on login and registration forms	Browser/device signals (per Google's policy)
Google Analytics 4	Traffic analytics (with your consent)	Anonymised usage data — no PII
Offer Wall Partners	Third-party task and survey providers	A unique user identifier (not your email) via postback

No cloud storage: All uploaded files (avatars, task proofs, blog images) are stored on our own secure Hostinger KVM2 VPS server in India. We do not use Cloudinary, AWS S3, or any external cloud storage for your files.

6. Data Retention

Data Category	Retention Period	Reason
Account data (active users)	Until account deletion request	Service provision
Account data (inactive users)	1095 days (≈ 3 years) after last activity	Platform Constants — configurable
Coin transaction logs	7 years from the transaction date	Tax and audit compliance (Income Tax Act)
Task proof images	90 days after task approval/rejection	Dispute resolution window
PAN Number	7 years from last TDS filing	Income Tax Act compliance
Postback / fraud logs	12 months	Fraud investigation
Consent records	Life of account + 3 years	DPDP Act compliance evidence
Marketing email consent (withdrawn)	3 years from withdrawal	Proof of consent withdrawal

Upon a verified erasure request (see Section 8), we will delete or anonymise your personal data within 30 days, except where we are legally required to retain it (e.g. transaction logs for tax compliance).

7. Your Rights Under the DPDP Act 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data held by Treasure Trove.

Right to Access

You may request a summary of the personal data we hold about you, the purposes for which it is processed, and with whom it has been shared.

Right to Correction

You may request correction of inaccurate, incomplete, or outdated personal data. Most profile data can be updated directly in your Profile Settings.

Right to Erasure

You may request deletion of your personal data. Upon erasure, your account is deactivated and data deleted within 30 days, subject to legal retention obligations.

Right to Data Portability

You may download a copy of your personal data in machine-readable JSON format from your Privacy Settings.

Right to Withdraw Consent

Where processing is based on your consent (e.g. marketing emails, analytics), you may withdraw that consent at any time without affecting prior lawful processing.

Right to Grievance Redressal

If you are dissatisfied with how we handle your data or your rights request, you may escalate to the Data Protection Board of India as established under the DPDP Act 2023.

8. How to Exercise Your Rights

The fastest way to exercise your rights is directly through your dashboard:

Download your data Go to Dashboard → Profile → Privacy Settings → click "Download My Data". A JSON file containing all your personal data will download immediately.

Update consents Toggle marketing and analytics consents on the same Privacy Settings page. Changes take effect immediately.

Request account erasure Click "Request Account Deletion" on the Privacy Settings page. Your account will be deactivated within 30 days and personal data deleted (except where legally required to be retained).

Other requests (access, correction) Email us at support@treasuretrove.site or use the Contact Form. We will respond within 30 days as required by the DPDP Act 2023.

We will verify your identity before processing any rights request. We do not charge a fee for handling rights requests unless they are manifestly unfounded or repetitive.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Passwords: Hashed using bcrypt (cost factor 12) — never stored in plain text.
PAN Number: Encrypted with AES-256-GCM using OpenSSL — stored as ciphertext only.
HTTPS / TLS: All data in transit is encrypted via Let's Encrypt SSL certificates with auto-renewal.
File uploads: Stored on our VPS with PHP execution disabled in the uploads directory. No user-uploaded files can execute as server-side code.
SQL Injection protection: All database queries use PDO prepared statements — no raw SQL string concatenation.
XSS protection: All user-supplied output is escaped with htmlspecialchars(ENT_QUOTES).
CSRF protection: All POST forms include cryptographic CSRF tokens regenerated after each use.
Rate limiting: Login, registration, and OTP endpoints are rate-limited via APCu to prevent brute-force attacks.
HTTP security headers: X-Frame-Options DENY, HSTS, X-Content-Type-Options, CSP enforced at the web server level.

While we take security seriously, no system is 100% secure. If you discover a security vulnerability, please responsibly disclose it to support@treasuretrove.site.

10. Children's Privacy

Treasure Trove is strictly for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If we discover that we have inadvertently collected data from a minor, we will delete it immediately. If you believe a minor has registered, please contact us at support@treasuretrove.site.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last Updated" date, increment the Consent Version (current: 1.0), and notify you via email and/or in-app notification. A version bump in Consent Version will prompt you to review and re-accept updated consent terms on your next login.

Continued use of the platform after the effective date of the updated Policy constitutes acceptance of the changes.

12. Contact & Data Protection

For privacy-related enquiries, rights requests, or grievances, please contact us:

Privacy / DPO Contact: support@treasuretrove.site

Contact Form: TreasureTrove.site/contact

Privacy Settings (fastest): Dashboard → Profile → Privacy

Escalation: Data Protection Board of India (dpboard.gov.in) — if unsatisfied with our response

We will acknowledge privacy requests within 72 hours and resolve them within 30 days as required by the DPDP Act 2023.