Privacy Policy — C-Trace ForensIQ

Effective: 18 April 2026 Version 1.0 DPDP Act 2023 · IT Act 2000 compliant

1. Who we are

C-Trace ForensIQ is a professional investigation toolkit published by CDR Softwares (India). It is intended for licensed law-enforcement officers and authorised private investigators working under lawful instruction.

This Privacy Policy explains what data the app collects, how it is used, how long it is kept, and the rights you have over it. Nothing in this policy overrides any applicable court order or statutory duty.

Contact for privacy matters:
Email: [email protected]
Phone: +91 9100111666
Website: facematch.cdrsoftwares.com

2. The guiding principle

Only two kinds of data ever leave your device: photos (for face matching) and vehicle numbers (for plate lookup). Everything else — payment-app statements, CIBIL reports, WhatsApp chats, suspect profiles, export PDFs and Excel files — is processed locally on your phone and never uploaded to our servers.

3. Data we collect

Data	Where processed	Purpose	Retention
Mobile number	Server (login only)	Account authentication via OTP; fraud prevention	Active account + 90 days after closure
Full name (optional)	Server	Account personalisation on the login screen	Active account + 90 days after closure
Device ID & model	Server	Per-device session lock; fraud prevention; anti-sharing	Active account + 90 days after closure
Photos uploaded for face match	Server (AWS India region)	Generate face embeddings via AWS Rekognition; match against offender database	Until explicitly deleted by an admin or by account deletion
Vehicle numbers for plate lookup	Server	Licence-plate database search	Queried transiently; full query text not retained beyond audit-log requirement (180 days)
Consent acceptance record (IP, timestamp, version)	Server	Legal proof of terms & policy acceptance under DPDP Act 2023 and IT Act 2000	3 years (statutory)
Audit logs (which feature was used, when)	Server	Security, anti-abuse, internal compliance audits	180 days rolling
Bank / UPI statements, CIBIL reports, WhatsApp chats, suspect profiles, exported PDFs and Excel files	Your device only	All parsing and analysis runs on-device. We do not receive, store, or have any way to read this content.	Controlled by you; deletable anytime from the app or OS

4. Data we do NOT collect

Location / GPS coordinates
Contacts, call logs, SMS
Camera or microphone access beyond the photo you explicitly pick
Financial account numbers, UPI IDs, credit-card details, bank balances
Message content (any chat content you import stays on-device)
Health data
Browsing history or any third-party advertising identifiers
Biometrics beyond the face-match purpose you trigger

5. Legal basis (DPDP Act, 2023)

Under Section 6 of the Digital Personal Data Protection Act, 2023, we process your personal data on the basis of:

Your free and informed consent, given during the sign-up flow in the app. You can withdraw consent at any time — see "Your rights" below.
Legitimate use for authentication, fraud prevention, and responding to lawful requests from Indian government or judicial authorities.

6. How we protect your data

All network traffic between the app and our servers is encrypted with TLS 1.2 or higher.
Photos sent for face match are stored at rest in an encrypted Amazon S3 bucket in the Asia (Mumbai, ap-south-1) region.
Login uses a one-time password sent to your registered mobile. No password is ever stored.
Authentication attempts and OTP requests are rate-limited to deter brute force.
Administrative access to our servers is protected by strong passwords and restricted to a small number of named personnel.
All administrative actions (photo deletion, account changes) are logged server-side.

No system is perfectly secure. While we take commercially reasonable measures, we cannot absolutely guarantee against unauthorised access. If we ever become aware of a breach that affects your personal data, we will notify you and the Data Protection Board as required by the DPDP Act.

7. Third-party data processors

We use the following service providers under strict data-processing agreements. They act only on our instructions and cannot use your data for their own purposes.

Amazon Web Services (India) — server hosting and object storage. Region: ap-south-1 (Mumbai).
Amazon Rekognition — face-embedding generation for match search. Images are sent to the AWS API and the returned embedding is stored; the original image is also stored in our S3 bucket.
SMS OTP provider (for Indian-number OTP delivery) — receives your mobile number and the OTP text, nothing else.

We do not sell, rent, or trade your data to any third party, and we do not allow any third party to use it for advertising.

8. Sharing with authorities

We may disclose specific data if lawfully required to do so by an Indian court order, by a recognised law-enforcement agency acting under the Code of Criminal Procedure, 1973 / Bharatiya Nagarik Suraksha Sanhita, 2023, or under the Information Technology Act, 2000. We review every such request for legal validity before acting on it.

9. Children

The app is intended for adult professional users aged 18 and above. We do not knowingly collect data from anyone under 18. If we become aware that a minor has created an account, we will delete the account and any associated data.

10. Your rights

Under the DPDP Act, 2023, you have the right to:

Access a summary of the data we hold about you.
Correction of inaccurate data (name, phone on file).
Erasure of your account and associated server-side data. You can start this any time from within the app: hamburger menu → Delete My Account. There is a 72-hour cancellation window after which deletion is final.
Withdrawal of consent — by deleting your account, you also withdraw consent for further processing.
Grievance redressal — if you are not satisfied with how we have handled your data, write to our grievance officer (details below). If that does not resolve the matter, you may escalate to the Data Protection Board of India.

11. Data retention summary

Most server-side data is kept only while your account is active, plus 90 days. Consent records are kept for 3 years as required by law. Audit logs for 180 days. Everything on your device is kept according to your own device storage and is deleted when the app is uninstalled or the data is cleared.

12. Cookies

The mobile app itself uses no cookies. The companion admin web panel at facematch.cdrsoftwares.com/admin.html uses one first-party localStorage entry to keep an admin signed in. There is no advertising or analytics tracker of any kind.

13. Grievance officer

In accordance with Rule 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Section 10 of the DPDP Act, 2023:

Name: Grievance Redressal Officer, CDR Softwares
Email: [email protected]
Phone: +91 9100111666
Response time: within 72 hours of receipt; final resolution within 15 days.

14. Changes to this policy

If we make material changes to this policy, we will notify you through the app (an on-launch notice) and revise the "Effective" date at the top of this page. Continued use of the app after a revision means you accept the revised policy.

15. Jurisdiction

This policy is governed by the laws of the Republic of India. Courts at Hyderabad, Telangana will have exclusive jurisdiction for any disputes arising out of or in connection with it.