Skip to main content
Friendly
Friendly

Privacy Policy

Last updated: 13 May 2026 · Version 2.0

This policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA") of India.

1. Identity of the Data Fiduciary

Friendly is a service operated by Tanvrit Pvt. Ltd. ("Tanvrit", "we", "us", or "our"), the data fiduciary for the purposes of the DPDPA.

Registered office: 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.

2. Data Protection Officer

Until Tanvrit appoints a separate Data Protection Officer, Vivek Singh (founder) acts as the DPO for grievance redressal under Section 8(9) of the DPDPA.

Contact: dpo@tanvrit.com

3. Personal Data We Collect

CategoryExamplesPurposeRetention
AccountDisplay name, profile photo, mobile number, email, optional bio and location.Create your Friendly account and identify you across devices.Life of account + 90 days after a deletion request.
AuthenticationPassword hashes, one-time passwords, magic-link tokens, passkey credentials, refresh tokens.Verify identity, prevent account takeover.OTPs and magic-links: 10 minutes. Refresh tokens: until revoked. Auth audit logs: 365 days.
Messages & contentChat messages, posts, comments, RSVPs, task lists, and any media you upload (photos, videos, files).Deliver the core product. Messages are stored to sync across your devices.Until you delete the message, conversation, or account.
ConnectionsPeople you follow, block, mute, or accept connection requests from. Optionally a hashed copy of phone contacts if you opt in to contact-import.Power the connections graph and friend-of-friend suggestions.Until you remove the connection or revoke contact-import.
Location (optional)Coarse location only, when you explicitly use the "Nearby" tab or attach a location to a job or meeting. We do not track location in the background.Show nearby people and opportunities when you ask for them.Foreground use only. Latest location: until you revoke the permission. No background trail.
Device & telemetryDevice model, OS version, app version, IP address, crash logs, anonymised usage events, push notification tokens.Deliver notifications, diagnose crashes, prevent abuse, measure aggregate feature usage.Push tokens: until revoked. Raw events: 90 days.
CommunicationsSupport emails, in-app messages to our team, abuse / safety reports.Respond to your queries, investigate abuse reports.3 years after the case closes.

We do not collect biometric data or financial-account data through Friendly. The product has no payment or KYC flow today.

4. Lawful Basis for Processing

Under DPDPA Section 4 we process personal data only when one of the following applies:

  • Consent (Section 6): for account creation, optional contact-import, location use, push notifications, and optional product communications.
  • Certain legitimate uses (Section 7): to fulfil a service you have initiated (deliver a message, RSVP an event), prevent fraud and abuse, comply with a court order, or respond to a medical or public-safety emergency.

5. Sharing & Cross-Border Transfers

We do not sell personal data. We share it only with the processors below, under contractual data-processing terms:

  • Google Cloud Run (asia-south1, Mumbai) — hosts our application servers. Data stays in India.
  • MongoDB Atlas — primary database; the cluster is configured for an Indian region.
  • Cloudflare — global CDN and DDoS protection; processes IP addresses at edge.
  • Firebase Cloud Messaging (Google LLC) — delivers push notifications on Android and the web.
  • Apple Push Notification service (Apple Inc.) — delivers push notifications on iOS and macOS.
  • Twilio Inc. (United States, with Indian DLT partners) — transactional SMS and OTP delivery.
  • Sentry / crash-reporting — processes anonymised stack traces and device metadata for diagnostics.

Where transfer outside India is necessary (Apple, Google, Twilio, Sentry), it is performed under the safeguards permitted by Section 16 of the DPDPA. We do not transfer data to any country notified by the Central Government as restricted.

6. Your Rights as a Data Principal

Section 11 of the DPDPA grants you the following rights, which we honour within 30 days of a verified request:

  • Right to access a summary of personal data processed.
  • Right to correction or erasure of inaccurate data.
  • Right to nominate another individual to exercise your rights.
  • Right of grievance redressal.
  • Right to withdraw consent (where consent is the basis of processing).

To exercise any of these, email dpo@tanvrit.com from the address registered to your account, or use the in-app account-deletion flow at /account/delete.

7. Children's Data

Friendly is intended for users aged 18 or above and is not directed to children. We do not knowingly collect data from a child. If a parent or guardian becomes aware that a child has registered, please write to dpo@tanvrit.com and we will delete the account and associated data. We do not target advertising at children and do not engage in behavioural tracking of minors.

8. Security

We apply reasonable security safeguards under Section 8(5) of the DPDPA, including:

  • TLS 1.3 in transit for all network communication.
  • Certificate pinning enforced in production builds.
  • AES-256-GCM encryption at rest for fields classified as personal data on our servers.
  • JWT-based authentication with mutex-protected refresh-token rotation.
  • OTP rate limiting and passkey replay protection.
  • Role-based access controls and audit trails on admin actions.

We do not currently hold ISO 27001 or SOC 2 attestations and do not claim a public uptime SLA. Availability is best-effort and will be backed by a public status page once that is operational.

9. Breach Notification

In the event of a personal-data breach, we will notify the Data Protection Board of India and every affected data principal within 72 hours of detection, in line with Section 8(6) of the DPDPA and the rules notified under it. The notice will describe the nature of the breach, the data categories involved, the likely consequences, and the mitigation steps we are taking.

10. Retention

  • Account & profile data: life of the account; 90 days after a deletion request, then purged or anonymised.
  • Messages, posts, content you create: until you delete them, the conversation, or your account.
  • Authentication logs: 365 days for fraud investigation.
  • Analytics events: 90 days at raw event level; aggregate counts may be retained indefinitely.
  • Abuse / safety reports: 3 years after case closure (or longer if mandated by a legal hold).

11. Cookies & Local Storage

On https://friendly.mobi and inside the web app we use the following:

  • auth_token, refresh_token (localStorage) — session continuity. Cleared on logout.
  • com.tanvrit.friendly.accessToken (localStorage) — namespaced session token for Friendly.
  • Cloudflare anti-DDoS cookies (__cf_bm) — security; set by Cloudflare.

India does not yet have a standalone cookie law; we follow best-practice consent for non-essential analytics and you may decline through your browser settings.

12. Updates to this Policy

We will email registered users at least 30 days before any material change to this policy. The version number and "Last updated" date at the top will always reflect the current revision.

13. Grievance Redressal & Contact

If you are not satisfied with our response, you may complain to the Data Protection Board of India once it is constituted under the DPDPA.

Tanvrit Pvt. Ltd.
Attn: Data Protection Officer
168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India
Email: dpo@tanvrit.com
Product support: hello@friendly.mobi