Shield
Sign in

Legal

Privacy Policy

Last updated: 2026-04-15

This Privacy Policy explains how Rostan Technologies Pvt. Ltd. (“Shield”, “we”, “us”) processes personal data of parents and children who use the Shield parental control platform. Shield acts as a Data Fiduciaryunder India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”). You, the parent, are the Data Principaland also the verifiable lawful guardian of your child’s data.

1. Notice and lawful basis

We process personal data on the basis of your explicit consent given at sign-up and, where applicable, legitimate uses specified in §7 of the DPDP Act (including service provision, fraud prevention, and compliance with Indian law). You may review or withdraw consent at any time from Settings → Account in the parent app.

2. Categories of personal data we collect

  • Parent account data: email address, hashed password (Argon2id), authentication tokens, IP address of sign-in, device user-agent.
  • Child profile data: first name (or nickname), date of birth, avatar image chosen by the parent.
  • Device identifiers: device install ID, OS version, FCM push token (for parent notifications only).
  • DNS query summaries:aggregated category counts (e.g. “social: 12, gaming: 3”). We do not store full URLs or page content.
  • Approximate location: only when you explicitly enable Real-Time Location; stored as latitude/longitude rounded to 3 decimal places.

3. Purposes of processing

Personal data is processed only for: (a) delivering the Shield service to your family, (b) issuing safety alerts to you, (c) aggregated product analytics (fully de-identified), (d) billing through Razorpay, and (e) responding to lawful orders of Indian authorities under the DPDP Act and applicable criminal procedure.

4. Retention windows

  • Raw activity events — 90 days (partitioned, auto-dropped).
  • Daily aggregates — 365 days.
  • Location pings — 90 days by default (parent-adjustable).
  • Audit logs — 24 hours hot, 365 days cold for compliance.
  • Deleted accounts — 30-day grace period, then cryptographic erasure.

5. Sharing and cross-border transfers

We do not sell personal data. Processors used: Razorpay (payments), Cloudflare (WAF + CDN, EU/US edge), AWS ap-south-1 (primary storage, Mumbai), Anthropic (Claude API, US) — prompts are tokenized and stripped of PII before transmission per our AI-01 rule. Cross-border transfers comply with §16 of the DPDP Act.

6. Your rights as Data Principal (incl. data deletion)

You may (a) access a machine-readable export of your family’s data, (b) request correction, (c) request erasure, (d) nominate a person to act on your behalf in the event of death or incapacity, and (e) file a grievance. Points (a) and (c) are self-service at /settings/account.

Account & data deletion:you can delete your account and your family’s associated data yourself, in-app, at Settings → Account (web: /settings/account), or by emailing privacy@shield.makewish.ai. On deletion we apply a 30-day grace period (during which you can cancel the request) and then perform cryptographic erasure, as described in §4 above.

7. Grievance Officer

Grievance Officer: Virender Kumar, grievance@shield.makewish.ai, Sector 62, Noida, UP 201301, India. Response SLA: 30 days per DPDP §13.

8. Contact

You may contact us about this policy at: privacy@shield.makewish.ai.