Privacy Policy

Hushr (“we”, “us”, “our”) operates hushr.me, a pre-launch waitlist and signal-capture platform for college students in India. This policy explains what data we collect, why, how we store it, and your rights under the Digital Personal Data Protection Act, 2023 (DPDP Act).

Hushr acts as a Data Fiduciary under the Digital Personal Data Protection Act, 2023.We determine the purpose and means of processing your personal data and are accountable for its lawful handling.

• Email address — to identify you on the waitlist and send transactional emails (welcome, referral notifications).
• College name — to segment campus-level launches.
• Year of study, career intent, verification preference — to understand cohort composition.
• Scenario responses — your answers to the 3 intent-signal questions. Used to measure product–market fit.
• Referral code + attribution — tracks who referred whom for the waitlist priority system.
• IP address (hashed) — stored as a one-way SHA-256 hash with a secret pepper. We cannot reverse it to your IP. Used only for rate-limiting and abuse detection.
• User agent — browser/OS string, truncated to 512 characters. Used for debugging only.
• UTM parameters + HTTP referer — campaign attribution (e.g. which Instagram post drove a signup).
• Page view and interaction events — scroll depth, button clicks, form focus/abandon. No cross-site tracking. No third-party cookies.

• We do not collect your real name, phone number, government ID, or financial information.
• We do not use third-party tracking pixels (Meta Pixel, Google Analytics, etc.).
• We do not sell, rent, or share your data with advertisers or data brokers. Ever.

All data is processed strictly for specified and lawful purposes related to waitlist management, product validation, and system integrity. We do not repurpose data for unrelated uses.

• Waitlist management — position, referral priority, founding member badges.
• Transactional email — welcome confirmation, referral notifications. No marketing spam.
• Product validation — aggregate, anonymised analysis of scenario responses and engagement patterns.
• Abuse prevention — rate limiting via hashed IP, captcha verification (Cloudflare Turnstile).

Your data is stored in a PostgreSQL database hosted by Supabase (cloud infrastructure by AWS). The database instance is located in ap-northeast-1 (Tokyo, Japan). All connections are encrypted via TLS. Row-level security is enabled on every table; only our server-side application (authenticated with a service-role key) can read or write data.

Emails are delivered via Resend (US-based). Rate-limiting state is held in Upstash Redis (regional, India). Captcha verification uses Cloudflare Turnstile. The website is hosted on Vercel (global CDN).

These third-party services act as data processors under our instructions and are bound by their respective privacy and security obligations. We select processors with strong security posture (SOC 2, GDPR, ISO 27001) and only share the minimum data required to deliver each function.

International transfers: by using Hushr, you acknowledge that your data may be processed outside India in jurisdictions (including Japan, the United States, and the European Union) that may have different data protection standards. We rely on the contractual and technical safeguards provided by our processors to protect your data during transfer and storage.

Waitlist data is retained until the Hushr platform launches and you are onboarded, or until you request deletion — whichever comes first. Event logs are retained for up to 12 months and then purged.

As a data principal under the DPDP Act, you have the right to:

• Access — request a summary of the data we hold about you.
• Correction — ask us to fix inaccurate data.
• Erasure — request deletion of your data at any time.
• Withdraw consent — opt out of future communications.

Self-service deletion: visit hushr.me/delete, enter your email, and confirm via the link we send you. Your record is removed immediately on confirmation (FK cascade clears scenario answers, referral attribution, and event log).

For access, correction, or any other request: email privacy@hushr.me (or reply to any transactional email from us). We will respond within 7 business days.

We use only strictly necessary cookies — Supabase session cookies for admin authentication and Cloudflare Turnstile challenge tokens. We do not use advertising or analytics cookies. Vercel Analytics is cookie-free and privacy-compliant.

Hushr is designed for college students aged 17 and above. We do not knowingly collect data from children under 17. If you believe we have, contact us and we will delete it immediately.

We may update this policy as the product evolves. Material changes will be communicated via email to all waitlist members. The “last updated” date at the top reflects the most recent revision.

For any privacy-related questions or requests:
Email: privacy@hushr.me
Website: hushr.me