unyt
Learn moreGet started

Privacy Policy

Effective date: November 6, 2025

This Privacy Policy explains how CRAFTFIN TECHNOLOGY LABS PVT LTD ("Company", "we", "us") collects, uses, discloses, and safeguards personal information in connection with Unyt (the "Service"). By using the Service, you consent to this Policy.

Company & Contact

Company: CRAFTFIN TECHNOLOGY LABS PVT LTD · Website: https://unyt.money· Registered location: Bengaluru, Karnataka, India · Support: support@unyt.money

Information We Collect

  • Account & Profile: name, email, phone, verification status/timestamps, profile photo, optional DOB, gender, address, occupation/income, and family links (familyId, role, code).
  • Google Sign‑In: Google ID token verification (via Firebase); profile basics (name, email, photo). We do not receive/store your Google password.
  • Authentication & Security: OTP codes (temporary), JWT session identifiers (JTI) with expiry, lockout counters, audit logs with redacted fields.
  • Financial & Asset Data You Provide: bank account identifiers (masked and/or hashed account numbers, IFSC, UPI IDs), liabilities and credit card details (masked), investments (account/folio/demat numbers, PAN/UAN/PRAN where provided, policy/certificate numbers, partner, amounts/dates), insurance (provider, policy numbers, coverage), properties (addresses and registration/legal identifiers), nominees/beneficiaries, tags, sharing entries, and related metadata.
  • Notes & Passwords: stored only as encrypted payloads using client‑side end‑to‑end encryption (AES‑GCM). We cannot decrypt them and do not store your master password.
  • Documents: file metadata (bucket/key, eTag, size, contentType, status, categories, upload expiry, uploader/family/item linkage). File contents are uploaded/downloaded directly to object storage using presigned URLs.
  • Communications: OTP and notification delivery metadata (transaction IDs, template IDs), and support interactions.
  • Logs & Telemetry: structured logs and metrics for reliability/security with sensitive fields redacted; exported to our observability endpoint.

Google User Data Access and Usage

When you choose to sign in with Google, our application accesses the following types of Google user data:

Data Accessed

  • Name: Your Google account display name
  • Email Address: Your Google account email address
  • Profile Picture: Your Google account profile photo

Data Usage

We use the Google user data accessed solely for the following purposes:

  • Account Creation: To create and authenticate your Unyt account using your Google credentials. Your name, email, and profile picture are used to populate your account profile.
  • Application Display: To display your name, email, and profile picture within the Unyt application for identification and personalization purposes.

We do not share, sell, or disclose your Google user data to any third parties. The data is used exclusively for account creation and display within our application. We do not access or store your Google password, and authentication is handled securely through Google's OAuth system via firebase.

Policy Review, Updates & Applicability

This Policy applies to the Unyt website (unyt.money) and our web application/APIs. We may update this Policy from time to time and will indicate the effective date. Where material changes affect how we process your information, we will endeavor to provide appropriate notice (e.g., in‑app or on our website).

Express Consent

By providing information and using the Service, you expressly consent to the collection, use, storage, and sharing of your information as described in this Policy, including receiving essential OTP/security communications. Where you provide personal information of others (e.g., family members, nominees, contacts), you represent that you have lawful authority and/or their consent to do so. You may withdraw consent to non‑essential processing at any time by contacting us; however, certain processing is necessary to provide the Service and, if withdrawn, may limit functionality.

Purposes of Processing

  • Authenticate you and maintain secure sessions; verify OTPs and manage authorization.
  • Provide core features: storing references/metadata, family sharing, usage/plan enforcement.
  • Facilitate document uploads/downloads using presigned URLs to object storage.
  • Ensure security, prevent fraud/abuse, perform troubleshooting and reliability improvements.
  • Provide support and communicate essential service notices (e.g., OTPs, security alerts).
  • Comply with applicable laws, respond to legal requests, and enforce our Terms.

How We Use Information

  • Provide, operate, and secure the Service (authentication, OTP, session management, authorization, family sharing).
  • Maintain and improve performance, reliability, and user experience; develop new features.
  • Communicate with you (OTPs, notices, support); comply with legal obligations; prevent fraud/abuse.

We do not sell your personal information.

Sharing & Disclosures

  • Service Providers: Firebase (token verification), cloud storage services, email/SMS providers, infrastructure and telemetry tooling—under contracts and safeguards.
  • Legal/Compliance: when required by law or to protect rights/safety.
  • Business Transfers: in mergers, acquisitions, or asset transfers, consistent with this Policy.

Family/Group Sharing: You can choose to share items with family or trusted members. We disclose such items to recipients you designate. For E2EE content (e.g., notes/passwords), we store only encrypted payloads.

Security

We implement reasonable technical and organizational safeguards, including transport security (HTTPS), access controls, structured logging with redaction, short‑lived OTP/session caches, and JWTs signed using RS256. Notes/passwords use client‑side end‑to‑end encryption with strong encryption algorithms; we store only encrypted payloads and wrapped key metadata. Documents are transferred via presigned URLs to cloud storage services. While we endeavor to comply with applicable laws (including the Information Technology Act, 2000 and relevant rules) and follow industry‑standard practices, no system is 100% secure.

Data Retention

We retain data while necessary to provide the Service and as required by law. Cache entries (e.g., OTPs, sessions) expire and are purged automatically after a short TTL. E2EE content persists until you delete it or reset your vault. Upon account deletion, we delete or anonymize associated data within a reasonable period, subject to legal retention and backup/archival constraints.

International Transfers

We may process/store data in India and/or other locations via our service providers with appropriate safeguards where required.

Your Rights & Choices

  • Access, correction, and deletion—subject to legal limits and verification.
  • E2EE recovery: if you lose your master password, we cannot decrypt or restore encrypted notes/passwords.
  • Manage communications preferences; essential service messages may still be sent.

Cookies Policy

We use cookies and similar technologies on the website and web app. These include strictly necessary cookies (e.g., authentication token, session continuity), preference cookies (e.g., UI state like sidebar), and limited functionality storage (e.g., localStorage for client state). We do not use advertising cookies. You can control cookies through your browser settings; disabling certain cookies may impact functionality.

Children’s Privacy

The Service is not directed to children under 18. Do not use the Service if you are under 18.

Changes to this Policy

We may update this Policy and will indicate the effective date. Material changes may be communicated via website or in‑app notices. Continued use constitutes acceptance.

Disclaimers

Our Service may contain links to third‑party websites or services. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third‑party services you use.

Contact

For privacy questions or requests, contact support@unyt.money.

Last updated: November 6, 2025