Privacy Policy

Rrumr ("Rrumr", "we", "us", "our") is a youth-first social platform that lets users share gossip, real talk, and opinions, anonymously or under their name, with built-in accountability tools. We operate the website rrumr.in and any associated mobile applications (collectively, the "Platform").

For the purposes of the Information Technology Act, 2000 (IT Act) and the Digital Personal Data Protection Act, 2023 (DPDP Act), Rrumr is the Data Fiduciary: the entity that determines the purpose and means of processing your personal data.

This section matters because it defines what Rrumr is legally responsible for, and what it is not. We believe you have a right to understand this.

How we maintain Section 79 compliance

To preserve our safe harbour (and your protection) we comply with the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended in 2023) by:

• Publishing and enforcing this Privacy Policy and our Terms of Service;
• Publishing rules that prohibit users from posting unlawful content (see Section 5 below);
• Appointing a Grievance Officer based in India (see Section 11);
• Acknowledging user complaints within 24 hours and resolving them within 15 days;
• Actioning court or government takedown orders within 3 hours of receipt;
• Removing non-consensual intimate imagery or deepfake content within 2 hours of a valid order;
• Not altering third-party content or initiating unlawful transmissions.

We collect only what we need to run the Platform. Here is a plain-language breakdown:

Account data (when you sign up)

• Username (can be a pseudonym, you do not have to use your real name)
• Email address
• Password (stored as a hashed value, never plain-text)
• Date of birth (to verify you are 13 or older)
• Optional: profile picture, bio, college/school name

Content data (what you post)

• Posts, comments, votes, predictions, and reactions you create
• Whether a post is anonymous or attributed. We store this flag separately
• Tea Points earned and leaderboard ranking

Usage data (automatically collected)

• IP address and general location (city/region level only)
• Device type and browser
• Pages viewed, time on page, interactions
• Referral source (how you found us)

Waitlist data (pre-launch)

• Email address only. Used solely to notify you of launch.

We use your data only for the purposes listed below. We do not sell your data. Ever.

• To operate the Platform: serving your feed, tracking Tea Points, running predictions.
• To communicate with you: account notifications, policy updates, launch announcements.
• To enforce our rules: identifying abuse, investigating reports, acting on court orders.
• To improve the product: aggregate, anonymised analytics to understand how Rrumr is used.
• To comply with law: responding to lawful government or court orders as required under Indian law.

We do not use your data for targeted advertising, do not share your data with advertisers, and do not build behavioural profiles for commercial sale.

As an intermediary under Section 79 of the IT Act, we require users to agree not to post content that:

• Is patently false or misleading and designed to harm another person;
• Is defamatory, obscene, or pornographic (especially child sexual abuse material, zero tolerance);
• Threatens national integrity, sovereignty, or public order as defined under Article 19(2) of the Constitution of India;
• Violates another person's intellectual property, trademark, or copyright;
• Impersonates another person or entity in a deceptive manner;
• Incites violence or constitutes harassment, stalking, or hate speech based on religion, caste, ethnicity, gender, or sexual orientation;
• Violates any provision of the IT Act 2000, the Indian Penal Code, or any other applicable law.

Posting content that falls into the above categories may result in removal of the content (following a court order or government notification), suspension of your account, and/or disclosure of your identity to law enforcement where legally required.

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Service providers: trusted vendors (hosting, analytics, email) who process data on our behalf under strict data processing agreements and are prohibited from using your data for their own purposes.
• Legal compliance: when compelled by a valid legal order, which for the purposes of this policy means: (a) an order of a court of competent jurisdiction in India; (b) a written direction issued by a designated government authority under Section 69 or Section 69A of the IT Act, 2000; (c) a requisition by a law enforcement agency (CBI, State Police) accompanied by a formal written request citing the specific legal provision under which disclosure is sought; or (d) any other instrument that carries the force of law under applicable Indian legislation and is issued by an authority with jurisdiction over Rrumr. Informal requests, private complaints, or requests not accompanied by a valid legal instrument do not constitute a valid legal order and will not result in disclosure. We will notify you of such orders wherever legally permitted and will not proactively disclose beyond what the order requires.
• Safety emergencies: in rare cases where disclosure is necessary to prevent imminent harm or death, consistent with applicable Indian law.
• Business transfers: if Rrumr is acquired or merges with another entity, your data may transfer. We will notify you in advance and you will have the right to delete your account before any transfer takes effect.

The Digital Personal Data Protection Act, 2023 grants you the following rights as a Data Principal. These rights are available to you now and will be fully enforceable from May 2027 when all provisions of the Act come into force.

To exercise any of these rights, email privacy@rrumr.in from the address registered with your account. We will respond within 15 days.

We follow the Reasonable Security Practices and Procedures prescribed under Rule 8 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including:

• Passwords hashed using industry-standard bcrypt or Argon2;
• All data transmitted over HTTPS/TLS encryption;
• Sensitive data encrypted at rest;
• Access controls limiting who within Rrumr can view your personal data;
• Regular security reviews;
• Breach response plan: if we suffer a personal data breach, we will:
  • Notify the Data Protection Board of India (once constituted) and any other applicable authority within 72 hours of becoming aware of the breach, as required under the DPDP Act, 2023;
  • Notify affected users promptly and without undue delay after notifying authorities, with details of: what data was affected, likely consequences, and steps we have taken or propose to take to address the breach;
  • Where the breach is unlikely to result in harm to users, we may limit notification to authorities only, in line with applicable rules.

No system is 100% secure. Please use a strong, unique password and enable any two-factor authentication options we offer.

We keep your data only for as long as necessary:

• Active account data: retained for as long as your account is active.
• Deleted account data: personal identifiers deleted within 30 days of account deletion; anonymised aggregate data may be retained for analytics.
• Anonymous post metadata: the internal link between an anonymous post and your account is retained for up to 3 years, solely for compliance with potential court orders.
• Waitlist emails: deleted within 60 days of you receiving your launch invitation, or on request.
• Legal hold: if we are under a valid legal obligation to preserve specific data, we will retain it only for the period required by that obligation.

We use the following cookies and tracking technologies:

• Essential cookies: session management and authentication. Cannot be disabled without breaking the Platform.
• Analytics cookies: we use privacy-respecting, cookieless analytics (no cross-site tracking, no fingerprinting) to understand aggregate usage patterns. No personal data is shared with third-party ad networks.

You can disable non-essential cookies in your browser settings. This will not affect core Platform functionality.

As required under Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Rrumr appoints a Grievance Officer based in India.

What the Grievance Officer handles:

• Complaints about content that violates this Privacy Policy or our Terms of Service;
• Requests to remove content that violates your rights (including privacy violations);
• Disputes about how your personal data is being used;
• Notices from courts, government agencies, or law enforcement;
• Any complaint relating to our obligations under the IT Act or DPDP Act.

If you are dissatisfied with our response, you may approach the Data Protection Board of India (once constituted under the DPDP Act, 2023) or any court of competent jurisdiction.

We will update this policy as the law evolves, particularly as rules under the DPDP Act, 2023 are notified and come into force (expected by May 2027). When we make material changes we will:

• Update the "Effective" date at the top of this page;
• Email registered users at least 14 days before changes take effect;
• For significant changes, request fresh consent where required by law.

Continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the updated terms.

Rrumr may suspend or terminate accounts, but only on defined grounds and following a fair process. We do not terminate accounts arbitrarily. Arbitrary or unexplained termination of paid accounts may constitute an unfair trade practice under the Consumer Protection Act, 2019, and we take that obligation seriously.

Grounds for suspension or termination:

• Repeated or serious violation of our Terms of Service or community rules;
• A valid court order or government direction requiring us to disable the account;
• Fraudulent activity, impersonation, or conduct that poses a safety risk to other users;
• Non-payment of any applicable subscription fees after reasonable notice;
• Where continued operation of the account would cause Rrumr to lose its safe harbour protection under Section 79 of the IT Act.

Process before termination:

• We will provide written notice of the alleged violation and an opportunity to respond, except where immediate action is required by law or to prevent imminent harm;
• Free accounts will receive at least 7 days notice;
• Paid subscribers will receive at least 30 days notice and a pro-rata refund of any prepaid fees for the unused period.