Privacy

What we store

• A nickname you pick (max 24 characters).
• An anonymous user ID assigned to your session.
• A salted SHA-256 hash of your PNR — never the PNR itself. Cached for up to 24 hours, then deleted.
• Messages, posts, and comments you write inside the room.
• The room you joined (train number + journey date), so we can show the right content.

What we do not store

• Your raw PNR.
• Your surname, real name, or any other passenger detail.
• Your email, phone number, or precise location.
• Payment information (the app is free).

How long things stick around

• Each room — and everything in it — is auto-deleted 48 hours after the journey date.
• The PNR hash cache is cleared after 24 hours.
• Server logs that may briefly contain your IP address are kept by our hosting provider for short retention periods, then rotated out.

Where data flows

Rail Rahi uses third-party providers to keep itself running on a free tier:

• Supabase (database, anonymous auth, realtime) — hosted in the Mumbai region.
• RapidAPI — used at sign-in to validate your PNR. Only the PNR is sent; the response is cached against the hash so we don't re-send.
• PostHog — anonymous product analytics. No PNR, surname, or message content is sent.
• Vercel — the app itself runs on Vercel's edge network.

Your rights under the DPDP Act 2023

Because we don't collect identifying personal data, most obligations under the Digital Personal Data Protection Act don't directly apply. We still give you two ways to exercise control:

• Leave & forget — the button in the room header clears your local session and caches. Your existing messages remain visible to others in that room until the 48-hour cascade-delete.
• Grievance Officer — to demand immediate deletion of specific content, write to the Grievance Officer at /contact. We acknowledge within 24 hours and resolve within 15 days, as required by the IT Rules 2021.