Privacy Policy

Effective date: April 25, 2026

This Privacy Policy explains how CRAFTFIN TECHNOLOGY LABS PVT LTD ("Company", "we", "us", "our") collects, uses, discloses, and safeguards personal data in connection with Unyt (the "Service"). By using the Service, you agree to this Policy. Capitalized terms not defined here have the meaning given in our Terms & Conditions.

Company, Data Fiduciary & Grievance Officer

Company: CRAFTFIN TECHNOLOGY LABS PVT LTD · Website: https://unyt.money · Registered location: Bengaluru, Karnataka, India · Grievance Officer / Data Protection Contact: support@unyt.money

We are the Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") for all personal data processed in connection with the Service.

Information We Collect

We collect the following categories of personal data:

Account & Profile

  • Name, email address, phone number, and profile photo.
  • Optional: date of birth, gender, occupation, income range, and full address (including pincode).
  • Verification status, timestamps, and family links (Family ID, role, family code).
  • App PIN (stored as a PBKDF2 hash with per-user salt; never in plaintext).

Authentication & Security

  • OTP codes (temporary; purged immediately after verification).
  • JWT session identifiers (JTI) with configurable expiry; refresh tokens stored in httpOnly cookies.
  • Login attempt counters for rate-limiting enforcement.
  • Audit log entries with sensitive fields such as full account numbers, PAN, OTPs, and document passphrases redacted before storage.

Financial & Asset Data

As entered by you:

  • Bank accounts: account identifiers (masked and hashed), IFSC code, account holder names, UPI IDs, balance, nominee and joint holder details.
  • Investments: account/folio/demat numbers, UAN (EPF), PRAN (NPS), ISIN, policy/certificate numbers, scheme codes, current value, invested amount, maturity dates, and returns.
  • Liabilities & credit cards: lender name, account/card identifiers (masked), interest rate, EMI amount, outstanding balance, credit limits, and repayment schedule.
  • Insurance: policy identifiers (masked and hashed), provider name, premium, coverage amount, beneficiaries, and covered members.
  • Real estate: full property address, registration/deed numbers, owner names, current market value, loan linkages, and nominee details.
  • Subscriptions: provider name, service name, amount, and renewal dates.
  • Tax filings: financial year, filing type, status, dates, and PAN (where voluntarily provided).
  • Contacts & nominees: name, phone numbers, email addresses, postal address, relationship type, and linked Items.

Sensitive Notes & Processing Data

  • Notes, extracted fields, and linked records are stored as part of your account and protected by authenticated access controls.
  • Sensitive backend fields are protected at rest where configured, including through database-level field encryption for selected data.
  • Document parsing is run only when you initiate an upload flow and confirm the extracted information before durable save.

Documents

  • File metadata: storage bucket/key reference, eTag, file size, content type, upload and expiry timestamps, category, uploader identity, and Item linkage.
  • File contents are transferred directly between your device and cloud object storage via short-lived presigned URLs. We do not stream or cache file contents through our application servers.
  • Documents submitted for AI extraction are transmitted to our AI service provider as described in the "AI Document Processing" section below.

Communications & Notifications

  • OTP and notification delivery metadata (transaction IDs, template IDs, delivery status).
  • Support interactions, correspondence, and feedback you submit to us.

Logs & Telemetry

  • Structured application logs with all sensitive fields redacted before export.
  • HTTP request metrics, error rates, and latency measurements.
  • Distributed trace and span identifiers for service reliability monitoring.
  • Exported to our observability provider (Grafana Cloud) under a data processing agreement.

Google User Data Access and Usage

When you sign in with Google, we access the following data from your Google account:

Data Accessed

  • Name: Your Google account display name.
  • Email address: Your Google account email address.
  • Profile picture: Your Google account profile photo.

How We Use This Data

  • Account creation & authentication: To create and authenticate your Unyt account. Your name, email, and profile photo are used to populate your account profile.
  • In-app display: To display your name, email, and profile photo within the application for identification and personalization.

We do not share, sell, or disclose your Google user data to any third party except as described in this Policy. Authentication is handled via Google OAuth through Firebase. We do not receive or store your Google password. Notwithstanding anything to the contrary in this Policy, data obtained through Google APIs is used and transferred in accordance with Google's API Services User Data Policy, including its Limited Use requirements.

Gmail Account Integration

You may optionally grant us read-only access to financial emails in your Gmail account via Google OAuth. This is entirely optional. If you grant this access:

  • We access only financial services-related emails, including investment details, income tax documents (e.g., ITR), credit card statements, insurance policies, and bill payment confirmations for services tracked in the Platform.
  • Access is strictly read-only. We do not read, access, or process personal, social, or non-financial communications.
  • We do not use Gmail data for advertising, retargeting, personalized ads, or interest-based profiling of any kind. Gmail data is used solely to auto-populate your financial records and improve the accuracy of the Service.
  • Gmail data is not transferred to third parties except as necessary to operate the Service and as described in this Policy.
  • You can revoke Gmail access at any time via your Google Account settings at myaccount.google.com or by contacting support@unyt.money.
  • Upon revocation, we will immediately cease accessing new Gmail data. Previously extracted financial data (stored as structured records in your account) will remain until you choose to delete it.

We encourage you to review Google's Privacy Policy before granting Gmail integration. The use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Purposes of Processing & Lawful Basis

We process your personal data on the following lawful bases:

  • Contract performance: To authenticate you, maintain your account, deliver core Service features (financial inventory management, family sharing, document storage), enforce Plan limits, and process payments.
  • Consent: For optional features including Gmail integration, AI-powered document extraction, and non-essential marketing communications. You may withdraw consent at any time without affecting prior lawful processing.
  • Legitimate interests: For security, fraud detection, abuse prevention, service reliability, performance monitoring, troubleshooting, and business continuity — balanced against your rights.
  • Legal obligation: To comply with applicable Indian laws, respond to lawful governmental requests, and enforce our Terms & Conditions.

How We Use Your Information

  • Authenticate you and manage secure sessions (OTP verification, JWT issuance, Firebase token validation).
  • Provide core features: financial record storage and retrieval, family sharing, document upload/download, Plan enforcement.
  • Power AI document extraction (with your explicit consent, via third-party AI API).
  • Send essential service communications: OTPs, security alerts, transactional notifications.
  • Maintain, improve, and secure the Service; analyze performance; develop new features.
  • Process subscription payments via our payment service provider.
  • Comply with legal obligations; prevent fraud and abuse; respond to lawful requests.

We do not sell your personal data. We do not use your personal data for advertising or behavioral profiling.

Sharing & Disclosures

We share personal data only in the following circumstances:

Service Providers (Data Processors)

We engage the following sub-processors under data processing agreements that restrict use of your data to service delivery only:

  • Google Firebase — Authentication token verification. Receives: tokenized authentication credentials and profile basics (name, email, photo) from Google Sign-In.
  • OpenAI, LLC — AI-powered document extraction. Receives: document contents you upload for parsing (may include financial PII such as PAN, date of birth, and account numbers). Used only with your explicit consent.
  • MSG91 (or equivalent SMS/email provider) — OTP and transactional notification delivery. Receives: phone number or email address and OTP payload.
  • Cashfree Payments India Pvt. Ltd. — Subscription payment processing. Receives: billing name and email. We do not store payment card details.
  • Cloud Object Storage (AWS S3-compatible) — Document file storage. File contents are accessed directly via presigned URLs; we store only file metadata.
  • Grafana Labs — Application observability (logs, metrics, distributed traces). Receives: redacted structured logs and telemetry data with all sensitive fields removed before export.

Legal & Regulatory Disclosure

We may disclose personal data when required by applicable law, court order, or governmental or regulatory authority, or when necessary to protect the rights, property, or safety of the Company, our users, or the public.

Business Transfers

In connection with a merger, acquisition, asset sale, or corporate reorganization, your personal data may be transferred to a successor entity, subject to this Policy or a policy of equivalent or greater protection.

Family & Group Sharing

Items you designate as FAMILY-visible are disclosed to Family members per your visibility and permission settings. Private items remain visible only to you unless you explicitly change their visibility or share them with specific members. You are solely responsible for your sharing configuration.

No other sharing occurs. We do not share your data with advertisers, data brokers, or analytics companies.

AI Document Processing

When you use the AI-powered document extraction feature, document contents are transmitted to OpenAI's API for parsing. Uploaded documents may contain sensitive personal and financial data including PAN, date of birth, account numbers, and transaction history. We use zero-data-retention API configurations where available and contractually require that OpenAI does not train on your data. This processing occurs only with your explicit, per-use consent at the time of upload. You may always choose to enter data manually to bypass AI processing entirely.

Data Security

We implement the following technical and organizational security measures:

  • Transport security: HTTPS/TLS enforced for all data in transit.
  • Authentication: RS256-signed JWTs; Firebase-verified OAuth tokens; OTPs with short TTL, single-use, and immediate purge after verification.
  • Rate limiting: 10 login attempts per 60-second window to prevent credential stuffing.
  • Database-level field encryption (MongoDB CSFLE) for selected sensitive fields at rest.
  • Document handling: uploads use scoped storage references and parsing runs only for user-triggered document workflows.
  • Sensitive-field redaction in all application logs before export to any external system.
  • Short-lived presigned URLs for document transfer, scoped to specific files.
  • Internal access controls and authorization guards enforcing role-based and plan-based access.

No system is 100% secure. In the event of a personal data breach, we will notify affected users and relevant authorities in accordance with timelines prescribed by applicable law, including the DPDP Act, 2023.

Data Retention

  • Active account data: Retained for the duration of your account.
  • OTP codes & session tokens: Auto-expire within minutes to hours; purged automatically.
  • Application logs: Short-term retention per our log rotation schedule; purged routinely.
  • Financial records & documents: Retained until you delete them or close your account.
  • Post-deletion cleanup: Following account deletion, we delete or anonymize your data within 90 days, subject to legal retention requirements and backup archival constraints.
  • Legal hold: Certain data may be retained for extended periods where required by applicable law, regulatory obligation, or ongoing legal proceedings.

International Transfers

We primarily process and store data in India. Certain sub-processors (including OpenAI and Grafana Labs) may process data outside India. We ensure appropriate safeguards for cross-border data transfers as required by the DPDP Act and applicable law, including contractual protections with overseas data processors.

Your Rights as a Data Principal (DPDP Act, 2023)

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

  • Right to access: Obtain a summary of your personal data we process and information about the processing activities.
  • Right to correction: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data, subject to lawful retention requirements and our contractual obligations.
  • Right to grievance redressal: File a complaint with our Grievance Officer at support@unyt.money and, if unresolved, escalate to the Data Protection Board of India.
  • Right to nominate: Designate a nominee to exercise your data rights in case of your death or incapacity.
  • Right to withdraw consent: For consent-based processing (e.g., Gmail integration, AI extraction), withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, contact us at support@unyt.money. We will respond within the period prescribed by applicable law.

Express Consent

By using the Service, you expressly consent to the collection, use, storage, and sharing of your personal data as described in this Policy, including receiving essential OTP and security communications. Where you provide personal data of third parties (family members, nominees, contacts), you represent that you have their consent or lawful authority to provide such data. You may withdraw consent to non-essential processing at any time by contacting us; however, certain processing is necessary for the Service and withdrawal may limit functionality.

Cookies & Local Storage

We use the following on our website and web application:

  • Strictly necessary cookies: Authentication tokens (stored in httpOnly cookies), session continuity. Cannot be disabled without impairing core functionality.
  • Preference storage: UI state such as sidebar preferences stored in localStorage.
  • We do not use advertising cookies, third-party tracking cookies, or behavioral analytics cookies.

You can control or delete cookies via your browser settings; disabling strictly necessary cookies will impair authentication and core Service functionality.

Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, contact support@unyt.money and we will delete it promptly.

Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant data protection authority in accordance with the timelines and procedures prescribed by the DPDP Act, 2023 and other applicable law. Notifications will include, where feasible: the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

Third-Party Links & Services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of such third parties. We encourage you to independently review the privacy policies of any third-party services you access through the Service.

Policy Review, Updates & Applicability

This Policy applies to the Unyt website (unyt.money), our web application, mobile application, and APIs. We may update this Policy from time to time. For material changes affecting how we process your personal data, we will endeavor to provide at least 14 days' advance notice via in-app notification or email. Continued use of the Service after the effective date of any revised Policy constitutes acceptance.

Contact & Grievance Officer

For privacy questions, data access or deletion requests, or grievances, contact our Grievance Officer:

Email: support@unyt.money
Company: CRAFTFIN TECHNOLOGY LABS PVT LTD, Bengaluru, Karnataka, India

We will acknowledge all grievances within 24 hours and address them within the timelines prescribed by applicable law. If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India.

Last updated: April 25, 2026