Privacy Policy

Indic Engine is operated by Sashi Bhusan Hemrom, an individual technology service provider registered in India. For the purposes of the Digital Personal Data Protection Act 2023 (DPDP Act), Indic Engine acts as a Data Processor — not a Data Fiduciary.

Our clients (API key holders) are the Data Fiduciaries. They collect consent from their end-users and instruct us to process messages on their behalf. We process data only as directed, for no independent purpose.

When your API key is used, we log the following operational metadata to Supabase for billing and usage analytics. This is the complete set — no other fields are written to persistent storage.

• client_id — your API key hash (for billing)
• raw_token_count — integer, e.g. 144
• compressed_token_count — integer, e.g. 32
• timestamp — UTC, for rate-limit enforcement
• vertical — the declared intent domain, e.g. realestate
• savings_pct — computed: (raw − compressed) ÷ raw

The following data categories never touch persistent storage at any point in the request lifecycle:

• Message content — the raw user message is never written to disk
• Semantic cache — only the compressed JSON result (not the original message) is cached, per-client only, and expires after 30 days
• Protected Health Information (PHI) — symptoms, diagnoses, medications, doctor names
• Personally Identifiable Information (PII) — names, addresses, phone numbers appearing in message bodies
• Patient identities — no healthcare record linkage is possible in our system
• Financial instrument details — raw Aadhaar, PAN, account numbers (see Section 06 for optional scrubbing)
• IP addresses — originating IPs are not logged to our storage
• User agent strings — not logged

Every compression request follows this lifecycle:

• Edge arrival — request lands at a Cloudflare Worker at the nearest PoP (India, Gulf, or EU)
• In-memory compression — Groq LPU processes the message in RAM; no disk write occurs at this stage
• Response dispatch — compressed JSON is returned in the HTTP response body
• Log write — only the token counts and metadata listed in Section 02 are written to Supabase
• Memory cleared — the Worker context is destroyed; message content ceases to exist in any system

The semantic cache (Cloudflare Vectorize) stores vector embeddings of prompts to enable cache hits. Embeddings are mathematical representations — they cannot be reversed to recover the original message text. Cache entries are isolated per client and expire after 30 days.

Message content transits through Cloudflare and Groq during the compression step — it is not stored by either party on our account. All sub-processors are bound by their own data processing agreements.

For healthcare, BFSI, and high-privacy deployments, clients may enable pre-compression financial identifier scrubbing by passing scrub_pii: true in the request body.

When enabled, the following identifier patterns are masked to [REDACTED] before the message reaches the compression model:

• Aadhaar numbers — 12-digit patterns (e.g. 1234 5678 9012)
• PAN card numbers — 10-char alphanumeric (e.g. ABCDE1234F)
• Bank account numbers — 9–18-digit numerics in financial context
• Credit/debit card numbers — 13–16-digit patterns, Luhn-validated
• IFSC codes — 11-char bank branch identifiers
• UPI VPAs — patterns matching handle@bank

For maximum privacy — or for deployments that require zero third-party data retention — pass the X-No-Log: true header on any request. This disables all Supabase logging for that specific request.

When X-No-Log: true is set:

• No token counts written to Supabase for that request
• Plan quota is still enforced via an anonymous increment counter
• No database row is created that could be queried, exported, or breached
• Monthly savings reports will not include no-log requests

Available on all paid plans. Recommended as default for healthcare and BFSI verticals.

In the event of a confirmed or reasonably suspected data breach affecting client data:

• We will notify affected clients at their registered email address within 72 hours of becoming aware of the incident
• The notification will include: nature of the incident, categories of data affected, estimated number of records, remediation steps taken, and a contact for further enquiry
• We will cooperate fully with any regulatory investigation under the DPDP Act 2023

To report a suspected security issue immediately, email [email protected].

Under the DPDP Act 2023, clients using the Indic Engine API are Data Fiduciaries with respect to their end-users. This means:

• Clients are responsible for obtaining free, specific, informed, and unambiguous consent from end-users before routing their messages through Indic Engine
• Clients must maintain a lawful basis for processing under applicable law (WhatsApp BSP terms, TRAI regulations, or explicit user consent)
• Clients must not route messages containing sensitive personal data — financial account numbers, health records, biometric data — without enabling scrub_pii: true or equivalent pre-scrubbing on their side
• Clients must honour end-user requests for data access, correction, or erasure that relate to the client's own stored data
• Clients may not use the API to process data for purposes beyond intent compression and token cost reduction
• Clients may not attempt to reconstruct, reverse-engineer, or extract personal data from Indic Engine logs or responses

By using the API, clients confirm they have read and accept these obligations. These obligations survive termination of any subscription plan.

For privacy enquiries, data access requests, erasure requests, or security disclosures, contact the founder directly:

We will acknowledge receipt of any privacy request within 24 hours and resolve it within the timeframes required by the DPDP Act 2023.

This policy was last updated on 07 June 2026. Material changes will be communicated to clients at their registered email address with 30 days notice before taking effect.