DESIWAY - PRIVACY POLICY

Last Updated: November 12, 2025 Effective Date: November 12, 2025 Version: 1.4

INTRODUCTION

MANOHARA LIMITED, trading as DesiWay ("we", "us", "our", "Company") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the DesiWay mobile application, website, and related services (collectively, the "Platform").

This Privacy Policy complies with:

EU General Data Protection Regulation (GDPR)
ePrivacy Directive
Digital Services Act (DSA)
Other applicable data protection laws

By using the Platform, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must not use the Platform.

Data Controller Information
Personal Data We Collect
How We Collect Your Data
Legal Basis for Processing
How We Use Your Data
Data Sharing and Disclosure
International Data Transfers
Data Retention
Your Rights (GDPR & EU Law)
Data Security
Cookies and Tracking Technologies
Third-Party Services
Children's Privacy
Changes to This Privacy Policy
Contact Us

1. DATA CONTROLLER INFORMATION

Data Controller: MANOHARA LIMITED (trading as DesiWay) VENTURE HUB, 136 CAPEL STREET, DUBLIN, D01 T2C9, IRELAND Company Registration Number (CRO): 797787 Incorporation Date: 18 September 2025 Email: [email protected]

Data Protection Officer (DPO): Email: [email protected]

EU Representative: Not applicable - MANOHARA LIMITED is registered in Ireland, an EU Member State.

2. PERSONAL DATA WE COLLECT

We collect the following categories of personal data:

2.1. Account Registration Data

Email address (required)
Password (hashed and encrypted)
Full name (optional but recommended)
Username (unique identifier)
Profile picture/avatar (optional)
OAuth provider data (if you sign in with Google or Apple):
- Google OAuth: Google user ID, name, email, profile picture URL
- Apple Sign-In: Apple user ID, name (optional), email (real or private relay)

2.2. Profile Data

Bio/description (optional)
Location data:
- City
- Country
- Region (optional)
Community interests (selected by user)
Verification status (if you choose to verify your account)
Business information (for business directory listings):
- Business name
- Business type
- Contact information
- Business license (if provided for verification)

2.3. User-Generated Content

Posts and comments: Text, images, videos, links
Event listings: Event details, location, date, description, images
Accommodation listings: Property details, photos, pricing, location
AirBring requests and travel plans: Origin, destination, item descriptions, dates, urgency
Marketplace listings: Item descriptions, photos, pricing
Messages: Direct messages sent to other users

2.4. Transaction Data

Event registrations: Registration details, ticket purchases (processed by third-party payment providers)
Boosted posts/advertisements: Campaign details, payment information (processed by third-party payment providers)

Note: We do not directly handle or store payment card information. All payment processing is handled by PCI-DSS compliant third-party payment processors.

2.5. Usage Data (Error Tracking Only - Sentry)

Error Tracking Data (Collected ONLY when app crashes or errors occur):

Device information:
- Device type (Android/iOS, model)
- Operating system version
- App version
Error data:
- Stack traces (code that caused error)
- Error messages
- User ID (if logged in - helps us fix user-specific bugs)
- App state at time of error

What We DO NOT Collect:

❌ Browsing history or page views
❌ Feature usage analytics
❌ User behavior tracking
❌ IP addresses (Sentry can collect but we disable)
❌ Advertising IDs

Purpose: Identify and fix bugs, improve app stability

Legal Basis: Legitimate interests (improving app quality)

Third-Party Service: Sentry.io (Privacy Policy: https://sentry.io/privacy/)

2.6. Location Data

Precise location (only if you grant permission for location services):
- GPS coordinates for map features
- Location for event discovery
- Location for accommodation search
Approximate location (derived from IP address):
- City
- Country
- Region

2.7. Communication Data

Support inquiries: Messages, emails, and attachments sent to customer support
Feedback and surveys: Responses to surveys or feedback forms
Notifications: Push notification preferences and interactions

2.8. Social Interaction Data

Likes, comments, and reactions on posts
Following/followers relationships
Blocked users list
Reported content and moderation actions
Event registrations and attendance

3. HOW WE COLLECT YOUR DATA

3.1. Data You Provide Directly

Account registration
Profile creation and editing
Creating listings, posts, and content
Sending messages
Filling out forms
Uploading media

3.2. Data Collected Automatically

Usage data via analytics tools
Device information
Cookies and similar technologies
Log files

3.3. Data from Third Parties

OAuth providers (Google, Apple):
- Name, email, profile picture when you sign in with Google
- Name (optional), email when you sign in with Apple
Payment processors:
- Transaction confirmation and status
Other users:
- When other users tag you, mention you, or share your content

4. LEGAL BASIS FOR PROCESSING (GDPR Article 6)

Under GDPR, we process your personal data based on the following legal grounds. Each processing activity has a specific legal basis:

4.1. Performance of a Contract (GDPR Art. 6(1)(b))

Processing necessary to provide you with the Platform services you've agreed to use:

Account Creation & Management:

Legal basis: Contract performance
Data processed: Name, email address, phone number, password (hashed), username, profile information
Purpose: Create and maintain your user account, enable Platform access
Retention: While account is active + 30 days after deletion

Content Hosting & Display:

Legal basis: Contract performance
Data processed: User posts, comments, listings (events, accommodation, marketplace, AirBring), photos, videos, text content
Purpose: Host and display your content to other users as you've requested
Retention: Until you delete content or close account

Direct Messaging:

Legal basis: Contract performance
Data processed: Message content, timestamps, sender/recipient information
Purpose: Enable private communication between users
Retention: Until deleted by user (max 7 years for legal compliance)

Event Registration:

Legal basis: Contract performance
Data processed: Registration details, attendance information, QR ticket data
Purpose: Enable event registration and check-in functionality
Retention: 3 years after event date

User Interactions:

Legal basis: Contract performance
Data processed: Likes, comments, follows, blocks, saved posts
Purpose: Enable social features you've chosen to use
Retention: While account is active

4.2. Legitimate Interests (GDPR Art. 6(1)(f))

Processing necessary for our legitimate business interests, balanced against your rights:

Platform Safety & Content Moderation:

Legal basis: Legitimate interests
Legitimate interest: Protecting users from illegal content, fraud, abuse; maintaining platform integrity
Data processed: Content analysis, user behavior patterns, reported content, moderation actions
Balancing test: Safety and legal compliance outweigh minimal privacy impact
Your right: Object to processing (contact [email protected])
Retention: Moderation logs 2 years, safety flags while relevant

Fraud Prevention & Security:

Legal basis: Legitimate interests
Legitimate interest: Preventing fraud, account takeovers, spam, and platform abuse
Data processed: IP addresses, device information, login patterns, suspicious activity indicators
Balancing test: Security necessity outweighs minimal intrusion
Your right: Object (may limit platform access if security compromised)
Retention: Security logs 12 months

Error Tracking & Platform Stability:

Legal basis: Legitimate interests
Legitimate interest: Identifying and fixing bugs to improve app stability and user experience
Data processed: Error logs, crash reports, stack traces (via Sentry - error tracking only, NOT analytics)
Balancing test: App stability benefits all users; data collection minimal (only during errors)
Your right: Object to error tracking (contact [email protected])
Retention: Error logs 90 days

Business Operations:

Legal basis: Legitimate interests
Legitimate interest: Operating and improving our business
Data processed: Customer support inquiries, feedback, bug reports
Balancing test: Providing effective support benefits users
Your right: Object (may affect support quality)
Retention: Support records 3 years

4.3. Consent (GDPR Art. 6(1)(a))

Processing only with your explicit, freely given consent:

Marketing Communications:

Legal basis: Consent
Data processed: Email address, communication preferences
Purpose: Send promotional emails, platform updates, feature announcements
How to consent: Opt-in during registration or in Account Settings
Withdrawal: Unsubscribe link in every email OR Account Settings > Notifications
Retention: Until consent withdrawn

Optional Profile Information:

Legal basis: Consent
Data processed: Bio/description, additional contact details, social media links
Purpose: Enrich your public profile
How to consent: Voluntarily provide information
Withdrawal: Delete information from profile settings
Retention: Until you remove it

Push Notifications (Optional):

Legal basis: Consent
Data processed: Device FCM token, notification preferences
Purpose: Send push notifications about messages, events, updates
How to consent: Grant notification permission on device
Withdrawal: Revoke in device settings or app settings
Retention: Until permission revoked or app uninstalled

Location Services (Precise GPS):

Legal basis: Consent
Data processed: GPS coordinates (temporary)
Purpose: Suggest nearby cities when you tap "Use Current Location"
How to consent: Grant location permission on device
Withdrawal: Revoke in device settings
Retention: Not stored (used temporarily only)

4.4. Legal Obligation (GDPR Art. 6(1)(c))

Processing required by law:

CSAM Reporting:

Legal basis: Legal obligation
Data processed: CSAM content, uploader information, metadata, evidence
Legal requirement: Irish Child Trafficking and Pornography Act 1998, EU Directive 2011/93/EU
Purpose: Report child sexual abuse material to authorities
Retention: As required by law enforcement (evidence preservation)

Law Enforcement Requests:

Legal basis: Legal obligation
Data processed: User data requested by valid legal process (subpoenas, court orders)
Legal requirement: Irish criminal procedure, EU directives
Purpose: Comply with lawful requests
Retention: As required by law

Tax & Business Compliance:

Legal basis: Legal obligation
Data processed: Transaction records (for paid services if introduced), business records
Legal requirement: Irish tax law, company law
Purpose: Maintain legally required business records
Retention: 7 years (Irish tax law requirement)

Data Breach Notification:

Legal basis: Legal obligation
Data processed: Breach details, affected users, remediation actions
Legal requirement: GDPR Article 33-34
Purpose: Notify Data Protection Commission and affected users
Retention: 5 years

4.5. Withdrawal of Consent and Objection Rights

For Consent-Based Processing:

You may withdraw consent at any time via Account Settings
Withdrawal does not affect lawfulness of processing before withdrawal
Some Platform features may become unavailable if consent is withdrawn

For Legitimate Interest Processing:

You have the right to object at any time (contact [email protected])
We will stop processing unless we demonstrate compelling legitimate grounds that override your interests
For direct marketing based on legitimate interests: Absolute right to object

How to Exercise Rights:

Email: [email protected]
Subject: "Withdraw Consent" or "Object to Processing"
Specify: Which processing activities you want to stop

5. HOW WE USE YOUR DATA

We use your personal data for the following purposes:

5.1. Provide and Maintain Services

Create and manage your Account
Enable posting, messaging, and social features
Display your profile and content to other users
Process event registrations
Facilitate AirBring connections
Enable marketplace and accommodation listings
Deliver push notifications

5.2. Improve and Personalize Services

Analyze usage patterns
Improve app performance and user experience
Personalize content recommendations
Develop new features
Conduct research and analytics

5.3. Communication

Service Communications (No Consent Required):

Send service-related notifications (account activity, new messages, event reminders)
Send security alerts (password changes, suspicious login attempts)
Send transactional emails (account verification, password reset)
Respond to inquiries and support requests
Send important Platform updates (Terms changes, policy updates)

Legal Basis: Contract performance + Legal obligation

You cannot opt out of service communications (required for Platform functionality and legal compliance)

Marketing Communications (Consent Required):

Send promotional emails about new features
Send Platform news and updates (optional)
Conduct surveys and feedback requests (optional)
Send personalized recommendations

Legal Basis: Consent

How to Opt Out:

Click "Unsubscribe" link in any marketing email
Account Settings > Notifications > Uncheck "Marketing Emails"
Email: [email protected] with subject "Unsubscribe from Marketing"

5.4. Safety and Security

Detect and prevent fraud, abuse, and security threats
Enforce Terms of Service and Community Guidelines
Moderate content and investigate violations
Block abusive users
Protect user safety

5.5. Legal and Compliance

Comply with legal obligations
Respond to legal processes (subpoenas, court orders)
Protect our legal rights
Prevent illegal activity

5.6. Advertising

Display advertisements (personalized if you consent)
Measure ad performance
Process paid post boosting and ad campaigns

6. DATA SHARING AND DISCLOSURE

6.1. Closed-Community Platform - Members-Only Access

IMPORTANT: DesiWay is a closed-community marketplace and social platform created specifically for verified members of the Desi community.

Account Required: All user-generated content, listings, and community features are ONLY accessible to registered, logged-in users. We do NOT display user content to non-registered visitors or the general public.

Why Members-Only?

Privacy Protection: User information, photos, names, and contact details are protected from public internet access
Community Safety: Closed environment ensures accountability and reduces spam, fraud, and harassment
Trust & Verification: Members can connect with confidence knowing everyone is part of the verified Desi community
Cultural Relevance: Content curated specifically for South Asian community needs and interests

What Registered Members Can See:

The following information is visible only to other registered, logged-in members (NOT to public visitors):

Username and profile picture
Community posts, comments, and likes
Event listings (created by members)
Accommodation listings (including photos, descriptions, contact details, pricing)
Marketplace listings (including item descriptions, photos, seller information, pricing)
AirBring requests and travel plans (including traveler details, delivery requests, contact information)
Business directory listings
Verification badge status

Personal Contact Information in Listings: Many listings (marketplace, accommodation, AirBring) contain personal user information including:

Full names
Phone numbers
Email addresses
Personal photos
Detailed descriptions
Location information

According to our company privacy policy, we are strictly prohibited from displaying this user-generated content publicly to non-registered visitors. This ensures our members' personal information remains protected within the trusted community.

You control what you share with other members. Do not share sensitive personal information that you are uncomfortable with other community members seeing.

6.2. With Other Users

Direct messages: Shared with message recipients
Event organizers: Registration information shared with event organizers
Listing responses: Contact information shared when responding to listings

6.3. Service Providers

We share data with trusted third-party service providers who assist with:

Cloud hosting and storage (e.g., Supabase, AWS, CDN providers)
Authentication services (e.g., Google OAuth, Apple Sign-In)
Payment processing (e.g., Stripe, PayPal) – PCI-DSS compliant
Push notifications (e.g., Firebase Cloud Messaging)
Error tracking (Sentry - error logs and crash reports only)
AI content moderation (third-party AI services for safety and compliance - see Section 12.5)
Email services
Customer support tools

All service providers are contractually bound to protect your data and use it only for specified purposes.

6.4. Business Transfers

If DesiWay is involved in a merger, acquisition, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring entity. You will be notified of any such change.

6.5. Legal Requirements

We may disclose your data if required by law or in response to:

Legal process (subpoenas, court orders, legal claims)
Government or law enforcement requests
Protection of our legal rights
Prevention of fraud, harm, or illegal activity
National security or public safety requirements

6.6. Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot identify you individually, for:

Research and analytics
Public reports
Marketing purposes

7. INTERNATIONAL DATA TRANSFERS

7.1. Data Storage Locations

Primary Data Storage:

Ireland (EU): Primary database and user data (Supabase EU region)
European Union: Media storage and backups within EU data centers

Your personal data is primarily stored and processed within the European Union.

7.2. Transfers Outside the EU/EEA

Some third-party service providers transfer data to the United States:

7.2.1. Google Services (OAuth Sign-In Only)

Recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States
Safeguard: EU-US Data Privacy Framework (adequacy decision by European Commission)
Alternative Safeguard: EU Standard Contractual Clauses (SCCs)
Data Transferred: Name, email, profile picture (ONLY when you sign in with Google)
Purpose: OAuth authentication
More Info: https://policies.google.com/privacy/frameworks

7.2.1a. Apple Services (Apple Sign-In Only)

Recipient: Apple Inc., One Apple Park Way, Cupertino, CA 95014, United States
Safeguard: EU-US Data Privacy Framework + EU Standard Contractual Clauses (SCCs)
Data Transferred: Name (optional), email (real or private relay) (ONLY when you sign in with Apple)
Purpose: OAuth authentication
More Info: https://www.apple.com/legal/privacy/

7.2.2. Sentry (Error Tracking)

Recipient: Functional Software, Inc. (Sentry), 45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States
Safeguard: EU-US Data Privacy Framework + EU Standard Contractual Clauses (SCCs)
Data Transferred: Error logs, device info, app version, User ID (only during app errors/crashes)
Purpose: Error tracking and bug fixing
Retention: 90 days
More Info: https://sentry.io/privacy/ | https://sentry.io/legal/dpa/

7.2.3. Firebase Cloud Messaging (Push Notifications)

Recipient: Google LLC, United States
Safeguard: EU-US Data Privacy Framework
Data Transferred: Device FCM token, notification delivery data
Purpose: Deliver push notifications
More Info: https://firebase.google.com/support/privacy

7.2.4. OpenAI (AI Content Moderation)

Recipient: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, United States
Safeguard: EU Standard Contractual Clauses (SCCs)
Data Transferred: Reported user content (text, images) for safety analysis ONLY
Purpose: AI-powered content moderation, policy violation detection
Retention: 30 days (per OpenAI API Data Usage Policy)
More Info: https://openai.com/policies/privacy-policy | https://openai.com/policies/api-data-usage-policies
Note: Data NOT used for training AI models

7.2.5. Payment Processors (Future Implementation)

Current Status: DesiWay does NOT currently process payments.

If payment services are introduced:

Stripe: EU-US Data Privacy Framework + SCCs
PayPal: EU-US Data Privacy Framework + SCCs
You will be notified before implementation

7.3. Adequacy Decisions

We rely on the EU-US Data Privacy Framework adequacy decision adopted by the European Commission on July 10, 2023.

Official Documentation: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en

7.4. Standard Contractual Clauses (SCCs)

Where EU-US Data Privacy Framework does not apply, we use EU Standard Contractual Clauses approved by the European Commission (Decision 2021/914).

7.5. Your Rights Regarding International Transfers

Right to Information:

You may request copies of Standard Contractual Clauses
You may request details about specific international transfers

Right to Object:

You may object to international transfers (contact [email protected])
Note: Objection may limit Platform functionality (e.g., cannot use Google Sign-In)

How to Request Information:

Email: [email protected]
Subject: "International Data Transfer Information Request"
We will respond within 30 days

8. DATA RETENTION

8.1. Retention Periods

We retain your personal data for as long as necessary to:

Provide Services (while your Account is active)
Comply with legal obligations
Resolve disputes
Enforce agreements

8.2. Specific Retention Periods

Data Type	Retention Period
Account data	While account is active + 30 days after deletion
Posts and content	While account is active (or until you delete)
Messages	Until deleted by user (max 7 years for legal compliance)
Transaction records	7 years (legal requirement)
Event registration data	3 years after event date
Usage logs	12 months
Support inquiries	3 years
Blocked users list	While account is active

8.3. Account Deletion

When you delete your Account:

Personal profile information is deleted or anonymized within 30 days
Content you posted may be anonymized (username removed) but remain visible to registered members
Certain data may be retained for legal or security purposes as required by law

8.4. Legal Holds

If your data is subject to legal hold (e.g., ongoing litigation), we will retain it until the hold is lifted.

9. YOUR RIGHTS (GDPR & EU LAW)

9.1. Right of Access (GDPR Art. 15) - Detailed Implementation

What You Can Request:

Confirmation of whether we process your personal data
A complete copy of your personal data
Information about how, why, and where we process your data
Categories of data processed
Recipients or categories of recipients of your data
Retention periods
Your GDPR rights
Information about automated decision-making (if applicable)

How to Submit a Data Access Request:

Submit Request:
- Email: [email protected] with subject "Data Access Request"
- In-App: Account Settings > Privacy > Request My Data
- Mail: MANOHARA LIMITED, VENTURE HUB, 136 CAPEL STREET, DUBLIN, D01 T2C9, IRELAND
Identity Verification:
- For standard requests: Email confirmation sufficient
- For sensitive requests: Photo ID may be required (passport, driver's license, national ID)
- Purpose: Prevent unauthorized disclosure of personal data
Response Timeline:
- Standard Response: Within 30 days of verified request
- Complex Requests: May extend up to 2 additional months (we will notify you)
- Reason for Delay: High volume of requests or complexity of data processing
Data Format:
- Primary Format: JSON (JavaScript Object Notation) - machine-readable for portability
- Alternative Formats: PDF, CSV (upon request)
- Delivery: Secure download link via email (link expires in 7 days)

Data Included in Access Response:

Account Information:

User ID, username, email address, phone number
Full name, profile picture, bio/description
Account creation date, last login date
Email verification status, account verification status
Community interests selected

User-Generated Content:

All posts (text, images, videos) with timestamps
All comments and replies
Event listings created
Accommodation listings created
Marketplace listings created
AirBring requests and travel plans
Business directory listings

Messages and Communications:

Direct messages sent and received (with timestamps)
Support inquiries and correspondence
System notifications received

Activity and Interaction Data:

Posts liked, saved, or bookmarked
Events registered for or attended
User accounts followed
User accounts blocked
Search history (if stored)

System-Generated Data:

Login history (dates, times, IP addresses)
Device information (device type, OS version, app version)
Location data (user-selected locations, not GPS tracking)
Session data

Third-Party Integration Data:

Google OAuth connection data (name, email from Google)
OAuth authorization dates

Processing Information:

Legal basis for each category of processing
Retention period for each data type
Third-party processors with access to your data
International transfers (if applicable)

Exclusions from Access:

We may withhold data that would:

Reveal personal data of other users (to protect their privacy)
Disclose trade secrets or confidential business information
Interfere with ongoing investigations or legal proceedings
Violate intellectual property rights of third parties

No Fee for Access:

First request per 12 months: Free of charge
Excessive or repetitive requests: We may charge a reasonable administrative fee or refuse (with justification)

Complaints: If you are not satisfied with our response, you may lodge a complaint with:

Data Protection Commission (Ireland): https://www.dataprotection.ie
Your local EU data protection authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9.2. Right to Rectification (GDPR Art. 16)

You have the right to:

Correct inaccurate personal data
Complete incomplete personal data

How to exercise: Update your profile in Account Settings or contact us

9.3. Right to Erasure / "Right to Be Forgotten" (GDPR Art. 17)

You have the right to request deletion of your personal data when:

Data is no longer necessary for the purposes collected
You withdraw consent
You object to processing (and no overriding legitimate grounds exist)
Data was unlawfully processed
Data must be erased to comply with a legal obligation

Exceptions: We may retain data if required by law or for legal claims.

How to exercise: Delete your Account through Account Settings or contact us

9.4. Right to Restriction of Processing (GDPR Art. 18)

You have the right to request restriction of processing when:

You contest the accuracy of data
Processing is unlawful, but you oppose erasure
We no longer need the data, but you need it for legal claims
You object to processing (pending verification of legitimate grounds)

How to exercise: Contact us at [email protected]

9.5. Right to Data Portability (GDPR Art. 20)

You have the right to:

Receive your personal data in a structured, commonly used, machine-readable format
Transmit your data to another controller

How to exercise: Contact us at [email protected] to request a data export

9.6. Right to Object (GDPR Art. 21)

You have the right to object to processing based on:

Legitimate interests
Direct marketing (including profiling)

How to exercise: Contact us or adjust settings in Account Settings

9.7. Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise: Adjust settings in Account Settings or contact us

9.8. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority (Data Protection Authority) if you believe your data protection rights have been violated.

EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9.9. Automated Decision-Making and Profiling (GDPR Art. 22)

Automated Content Moderation:

We use automated systems to detect and remove certain types of illegal content:

Child Sexual Abuse Material (CSAM) Detection
- System: PhotoDNA hash-matching technology
- Decision: Automatic content removal + mandatory law enforcement reporting
- Legal Basis: Legal obligation (Irish Child Trafficking and Pornography Act 1998, EU Directive 2011/93/EU)
- Human Review: All CSAM removals reviewed by trained personnel as soon as practicable in accordance with Irish law, typically within 48-72 hours during business days (Monday-Friday), with urgent cases prioritized
- No Appeal: CSAM violations result in permanent account termination (no appeal due to legal requirements)
Spam and Duplicate Content Filtering
- System: Automated spam detection algorithms
- Decision: Content flagged or automatically removed
- Legal Basis: Legitimate interests (Platform integrity)
- Human Review: You may request human review via [email protected]
- Right to Object: Contact [email protected] if you believe content was incorrectly flagged
Known Illegal Content Detection
- System: Hash-based detection of previously identified illegal material (terrorism, CSAM, etc.)
- Decision: Automatic content removal
- Legal Basis: Legal obligation (DSA Article 17 - serious criminal offenses)
- Human Review: All automated removals reviewed without undue delay, typically within 3-5 business days, with priority given to disputed removals
- Appeal Rights: See Community Guidelines Section on DSA Appeals

Profiling:

We do NOT use profiling that produces legal effects or similarly significantly affects you.

Your Rights:

Right to human review: Request human review of automated decisions via [email protected]
Right to object: Object to automated processing (contact [email protected])
Right to explanation: Request explanation of automated decision logic

Exception: CSAM automated removal cannot be appealed due to legal requirements.

10. DATA SECURITY

10.1. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

Technical Measures:

Encryption in transit (TLS/SSL)
Encryption at rest for sensitive data
Secure authentication (password hashing with bcrypt/Argon2)
OAuth 2.0 for third-party authentication
Secure API access controls
Regular security audits and penetration testing
Intrusion detection systems
Firewall protection

Organizational Measures:

Access control and authorization policies
Employee training on data protection
Confidentiality agreements with staff and vendors
Data breach response plan
Regular security reviews

10.2. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights:

We will notify the relevant supervisory authority within 72 hours where feasible, or as soon as possible thereafter with reasons for any delay (as required by GDPR Article 33)
We will notify affected users without undue delay if the breach poses a high risk
Notification will include:
- Nature of the breach
- Categories and approximate number of affected users
- Likely consequences
- Measures taken to address the breach
- Contact point for further information

10.3. Your Responsibility

You are responsible for:

Keeping your password secure
Logging out of your Account on shared devices
Notifying us immediately of unauthorized access

11. LOCAL STORAGE AND TRACKING TECHNOLOGIES

11.1. We Do NOT Use Cookies

Important: DesiWay does NOT use traditional HTTP cookies on our mobile app or web platform.

Instead, we use:

Local Storage (browser LocalStorage on web, SharedPreferences on mobile)
Secure Storage (encrypted storage for authentication tokens)

11.2. Why No Cookie Consent Banner?

Legal Basis: ePrivacy Directive (Cookie Law) applies to cookies and similar technologies.

Since we use LocalStorage for essential functionality only (authentication, preferences), and NOT for tracking or analytics:

✅ No cookie consent banner required
✅ ePrivacy Directive compliant
✅ GDPR compliant (local storage for essential services = legitimate interest)

11.3. Local Storage - What We Store

See our Data Storage & Tracking Policy for full details: www.desiway.in/cookie-policy

Summary of Local Storage:

Essential Storage (No Consent Required)

Authentication tokens: Keep you logged in (strictly necessary)
Theme preference: Remember light/dark mode setting
Language preference: Remember selected language
Session management: Maintain your active session

Legal Basis: Legitimate interests + ePrivacy Directive exemption for strictly necessary storage

Optional Storage (Consent-Based)

Location preference: Remember your selected city (you can change anytime)
Feed filters: Remember your feed customization choices
FCM token: For push notifications (requires device permission)

Legal Basis: Consent (you voluntarily provide these preferences)

11.4. Third-Party Local Storage

Google OAuth: If you sign in with Google, Google may store authentication tokens in your browser. See Google's Privacy Policy: https://policies.google.com/privacy

Supabase: Stores session tokens in LocalStorage for authentication. See Supabase Privacy Policy: https://supabase.com/privacy

11.5. Clear Local Storage

You can clear local storage at any time:

Web: Browser settings > Clear browsing data > Cookies and site data
Mobile App: Settings > Clear Cache (or uninstall/reinstall app)

See Section 7 of our Data Storage & Tracking Policy for detailed instructions: www.desiway.in/cookie-policy

12. THIRD-PARTY SERVICES

12.1. OAuth Providers (Google, Apple)

When you sign in with Google:

Google shares your name, email, and profile picture with us
Your use of Google is governed by Google's Privacy Policy: https://policies.google.com/privacy

When you sign in with Apple:

Apple shares your name (optional) and email (real or private relay) with us
Your use of Apple Sign-In is governed by Apple's Privacy Policy: https://www.apple.com/legal/privacy/

12.2. Payment Processors

We use third-party payment processors (e.g., Stripe, PayPal) for event payments and advertisements. We do not store payment card information.

Payment processors handle payment data in accordance with PCI-DSS standards.

12.3. Cloud Services

Supabase: Database and backend services (data stored in EU)
CDN providers: Media storage and delivery
Firebase: Push notifications only (NOT analytics)
Sentry: Error tracking and crash reporting

12.4. Third-Party Links

The Platform may contain links to external websites. We are not responsible for the privacy practices of external websites. Please review their privacy policies.

12.5. AI-Powered Content Moderation (EU AI Act & DSA Compliance)

IMPORTANT NOTICE: DesiWay uses Artificial Intelligence (AI) systems to analyze user-generated content for safety, security, and legal compliance purposes.

12.5.1. Why We Use AI

To protect our community and comply with legal obligations, we use AI to:

Detect illegal content (CSAM, terrorism, hate speech, violence)
Identify spam, scams, and fraudulent activity
Enforce Community Guidelines and Terms of Service
Respond to user reports about content violations
Analyze messages for child safety and user protection

Legal Basis:

Legal obligation (CSAM detection, illegal content removal - Irish law, EU DSA)
Legitimate interests (platform safety, fraud prevention - GDPR Art. 6(1)(f))

12.5.2. What Content Is Analyzed

AI systems may analyze:

Posts, comments, and replies: Text, images, videos
Direct messages: ONLY when reported by a user OR when automated CSAM detection is triggered
Event listings, marketplace items, accommodation listings, AirBring requests
Profile information: Bios, usernames (for impersonation detection)
Uploaded media: Images and videos (hash-matching for known illegal content)

We do NOT read your private messages proactively. Messages are analyzed by AI ONLY:

When another user reports a message for violating our policies, OR
When automated CSAM detection systems detect illegal material (mandatory legal requirement)

12.5.3. Third-Party AI Providers

We use the following third-party AI services for content moderation:

OpenAI (ChatGPT API)

Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, United States
Safeguard: EU Standard Contractual Clauses (SCCs)
Data Transferred: Reported content, user-generated text, images (for analysis only)
Purpose: Content policy violation detection, context analysis, safety classification
Retention: OpenAI retains data for 30 days (per their API Data Usage Policy: https://openai.com/policies/api-data-usage-policies)
Privacy Policy: https://openai.com/policies/privacy-policy
Note: We use OpenAI's API, NOT ChatGPT consumer service. OpenAI does NOT use API data for model training.

Additional AI Services (may be added):

Google Cloud AI / Vertex AI: Text and image moderation
Microsoft Azure Content Safety: Harmful content detection
AWS Rekognition: Image moderation

Current Status: We primarily use OpenAI's moderation APIs. Any changes will be reflected in this Privacy Policy.

12.5.4. How AI Moderation Works

User Reports: When a user reports content, our AI analyzes the reported item
Automated Detection: AI scans for known illegal content (hash-matching)
Classification: AI classifies content severity (low, medium, high risk)
Human Review: High-risk content flagged for human moderator review
Action: Content may be removed, user warned, or account suspended

Transparency (EU AI Act Article 50 Compliance):

✅ You are informed that AI systems analyze your content
✅ AI decisions are subject to human review for high-impact actions
✅ You can request human review of AI decisions (contact: [email protected])
✅ You have the right to explanation of automated decisions

12.5.5. Your Rights Regarding AI Moderation

Right to Human Review (GDPR Art. 22):

You may request human review of any AI-based content moderation decision
Contact: [email protected] with subject "Request Human Review"
Response time: Without undue delay, typically within 5-7 business days for standard requests. Urgent cases involving potential harm are prioritized and addressed more quickly.

Right to Explanation:

You may request an explanation of why content was flagged or removed
We will provide the reason and policy violated

Right to Object (GDPR Art. 21):

You may object to AI processing of your content
Note: Objection may limit your ability to use the Platform (safety requirement)
CSAM detection cannot be opted out (legal obligation)

Right to Appeal (DSA Article 20):

If content is removed, you may appeal the decision
See our Community Guidelines for appeal process

12.5.6. Data Minimization

We minimize data sent to AI providers:

✅ Only reported or flagged content is analyzed (not all content)
✅ Personal identifiers removed when possible
✅ Context limited to what's necessary for safety analysis
✅ AI providers delete data within 30 days

12.5.7. EU AI Act Compliance

AI System Risk Classification: Limited-risk AI system (transparency obligations apply)

Compliance Measures:

✅ Transparency: Users informed of AI usage (this section)
✅ Human oversight: Human moderators review high-impact decisions
✅ Accuracy: Regular testing and monitoring of AI accuracy
✅ Accountability: Records of AI decisions maintained for 2 years

Effective Date: August 2, 2026 (EU AI Act full application date)

Current Status: We are implementing these measures proactively to ensure compliance before the deadline.

12.5.8. Contact for AI-Related Questions

If you have questions about our use of AI for content moderation:

Email: [email protected] with subject "AI Moderation Inquiry"
We will respond within 30 days

13. CHILDREN'S PRIVACY

13.1. Age Restriction

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal data from children under 18.

13.2. Parental Notice

If you are a parent or guardian and believe your child has provided personal data to us, please contact us at [email protected]. We will delete such data promptly.

13.3. Age Verification

By using the Platform, you represent that you are at least 18 years of age.

14. CHANGES TO THIS PRIVACY POLICY

14.1. Right to Modify

We may update this Privacy Policy from time to time to reflect changes in:

Our data practices
Legal requirements
Platform features

14.2. Notice of Changes

We will notify you of material changes by:

Email notification
In-app notification
Posting an updated Privacy Policy with a new "Last Updated" date

14.3. Acceptance of Changes

Your continued use of the Platform after changes become effective constitutes acceptance of the updated Privacy Policy.

14.4. Review

We encourage you to review this Privacy Policy periodically.

15. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

MANOHARA LIMITED (trading as DesiWay)

Privacy Team: Email: [email protected]

Data Protection Officer: Email: [email protected]

Mailing Address: VENTURE HUB, 136 CAPEL STREET, DUBLIN, D01 T2C9, IRELAND