ilaka

Privacy Policy

Effective date: 1 May 2025  ·  Last updated: 5 May 2026

ILAKA (“we”, “us”, “our”) is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights as a Data Principal under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable provisions of the General Data Protection Regulation (GDPR).

1. Data We Collect

1.1 Account Information

  • Name and email address — collected at registration; used to identify your account and send transactional emails.
  • Password — stored as a one-way bcrypt hash; we cannot recover your password.
  • Email verification status — to confirm your email address is valid.

1.2 Location Data

  • Approximate location (IP-derived) — resolved from your IP address via ipinfo.io or ip-api.com when you first visit the Platform, to show nearby events. This is not stored permanently; it is used only to serve the current request.
  • Precise location (optional) — if you grant browser geolocation permission, your coordinates are used to refine event results. Coordinates are not stored beyond your active session.
  • Profile location — if you manually set a home neighbourhood in your profile, it is stored in our database and used to personalise your default feed.

1.3 Event Data

Events you create (title, description, location, images, dates, capacity) are stored and displayed publicly or privately according to your visibility setting.

1.4 Usage and Engagement Data

  • RSVPs, likes, shares, and attendance records linked to your user ID.
  • Product analytics events (page views, feature interactions) collected via PostHog. These are associated with an anonymous user ID only — we do not send your name or email to PostHog.

1.5 Payment Data

When you make a payment, Razorpay collects your card/bank/UPI details directly. We store only the Razorpay order ID, payment status, amount, and currency — never raw card data.

1.6 Technical Data

Standard server logs may capture IP addresses, browser type, and timestamps for security and debugging purposes. These are retained for up to 30 days.

2. Legal Basis for Processing

We process your data on the following bases:

  • Consent — account registration, location sharing, marketing communications (if applicable).
  • Contractual necessity — processing payments, sending tickets, managing events you create or RSVP to.
  • Legitimate interests — fraud prevention, security monitoring, product improvement via anonymised analytics.
  • Legal obligation — compliance with Indian tax, anti-money laundering, and IT Act requirements.

3. How We Use Your Data

  • To create and manage your account.
  • To show you nearby events based on your location.
  • To send transactional emails: registration confirmation, email verification, password reset, event tickets.
  • To process payments for subscriptions, event hosting fees, and promotional placements.
  • To compute engagement scores that rank events in the feed.
  • To power semantic event search using OpenAI embeddings and Pinecone vector search.
  • To monitor for abuse and enforce our Terms of Service.
  • To improve the Platform through anonymised product analytics.

4. Third-Party Data Processors

We share data with the following processors who act under contractual data processing agreements:

ProcessorPurposeData shared
RazorpayPayment processingName, email, order amount
CloudinaryImage storage and deliveryUploaded event/profile images
OpenAISemantic search embeddingsEvent title + description text only
PineconeVector search indexEvent ID + embedding vectors
PostHogProduct analyticsAnonymous user ID, page events
Resend / SMTPTransactional email deliveryYour email address, email content
VercelHosting and edge computeRequest logs (IP, headers)

We do not sell your personal data to third parties. We do not use your data for behavioural advertising.

5. Data Retention

  • Account data — retained while your account is active and for 90 days after deletion to allow for account recovery.
  • Event data — retained while the event is active; expired events are automatically purged 30 days after their end time.
  • Payment records — retained for 7 years as required by Indian tax and accounting regulations.
  • Server logs — retained for 30 days.
  • Email verification tokens — expire after 24 hours.
  • Password reset tokens — expire after 1 hour.

6. Your Rights

Under the DPDP Act and GDPR (where applicable), you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Correction — update inaccurate or incomplete data via your profile settings or by contacting us.
  • Erasure — request deletion of your account and associated personal data, subject to legal retention obligations.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdrawal of consent — withdraw consent at any time where processing is consent-based (e.g., location sharing).
  • Grievance redressal — raise a complaint with our Grievance Officer or with the Data Protection Board of India.

To exercise any of these rights, contact our Grievance Officer at: privacy@ilaka.app. We will respond within 30 days.

7. Cookies and Local Storage

We use no third-party tracking cookies. Session authentication uses an HttpOnly, Secure, SameSite=Lax cookie managed by NextAuth. Product analytics (PostHog) use localStorage only, not cookies, to store an anonymous identifier.

8. Children's Privacy

ILAKA is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact us and we will delete the account.

9. Data Security

We implement industry-standard security measures including TLS encryption in transit, bcrypt password hashing, HttpOnly session cookies, timing-safe webhook signature verification, and rate limiting on all sensitive endpoints. No system is perfectly secure; we cannot guarantee absolute security.

10. International Transfers

Some of our third-party processors (OpenAI, Pinecone, PostHog, Cloudinary) are based outside India. Where data is transferred internationally, we rely on contractual safeguards and the respective processor's compliance with applicable data protection law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or a notice on the Platform at least 7 days before they take effect. Continued use of the Platform constitutes acceptance of the updated policy.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, the details of our Grievance Officer are:

Name: ILAKA Support Team
Email: privacy@ilaka.app
Response time: Within 30 days of receiving a complaint.

13. Contact

For any privacy-related queries, contact us at privacy@ilaka.app.