Privacy Policy

Effective Date: 26 March 2026

MINTech Innovations Private Limited ("Company", "we", "us", "our"), having its registered office at Plot No 2, Prime Anmol, Apartment Gorewada, Katolroad, Nagpur - 440013, Maharashtra, India, operates the TinySteps mobile application ("App").

This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDP Act").

By using TinySteps, you consent to the collection and use of your data as described in this Policy.

1. Data We Collect

1.1. Account & Identity Data

• Phone number (required for OTP-based authentication)
• Email address
• Firebase Authentication UID (internal identifier)
• Account role (mom, business, or admin)

1.2. Mom Profile Data

• Full name
• Date of birth
• Occupation
• Bio / greeting message
• Interests and hobbies
• Profile and cover photos

1.3. Children's Data (entered by mom)

We collect the following information about your children, which is entered and managed exclusively by you (the mom):

• Child's name and nickname
• Date of birth and gender
• School name and enrolment status
• Interests and activities
• Profile and cover photos

Children do not have independent access to the App. All children's data is processed on the basis of maternal consent.

1.4. Location Data

• Precise GPS coordinates (latitude/longitude) — collected when you grant location permission via your device's native dialog
• Address (text) — entered by you during profile setup or event/playdate creation
• City (default: Nagpur)

Location data is used to calculate distances for nearby playdates, events, connections, and business recommendations. You can revoke location permission at any time through your device settings and control address visibility through the App's privacy settings.

1.5. Media & Uploaded Content

• Profile pictures, cover images, and gallery photos
• Event cover images
• Message attachments (images, videos, documents)

All uploaded media is compressed on your device before upload and scanned for malware on our servers. Media is stored on Amazon Web Services (AWS) S3 and delivered via AWS CloudFront CDN.

1.6. Messaging Data

• Message content (text, images, files)
• Message delivery and read status
• Conversation metadata (participants, timestamps)

1.7. Social Graph Data

• Connection requests and status (pending, accepted, ignored)
• Block list
• Business follows

1.8. Activity & Event Data

• Playdates created, accepted, or declined (including activity type, location, schedule, age preferences)
• Events created, RSVPs, and attendance
• Reviews and ratings for businesses
• Playdate feedback (enjoyed, not a match, did not happen)

1.9. Device & Technical Data

• Device push notification token (FCM token)
• Device platform (iOS or Android)
• App version and build number
• Network connectivity status

1.10. Analytics Data

We use PostHog for product analytics. The following is collected automatically or on specific user actions:

• App open/close events and session duration
• Screen navigation events
• Feature usage events (e.g. playdate created, event RSVP, connection request sent)
• Session replay (interaction recordings — taps and scrolls, no keyboard content)
• Crash and error reports

1.11. Voucher & Transaction Data

• Voucher unlock progress and redemption status
• QR code identifiers for redemption
• Business UPI ID (for settlement, business accounts only)

2. How We Use Your Data

We process your personal data for the following purposes:

• Authentication: Verify your identity via phone OTP
• Core Features: Enable playdates, events, connections, messaging, and business discovery
• Personalisation: Recommend connections, events, and businesses based on your location, interests, and children's ages
• Communication: Send push notifications for messages, requests, invitations, and updates
• Safety: Scan uploaded media for malware; enforce blocking and reporting; moderate content
• Analytics: Understand usage patterns, improve features, and fix bugs
• Promotions: Deliver voucher campaigns and reward programmes
• Business Insights: Provide aggregated lead analytics to business account holders (no individual user data is shared)
• Legal Compliance: Comply with applicable Indian laws and respond to lawful requests from authorities

3. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023:

• Consent: We process your data based on your consent provided at registration and through your continued use of the App
• Maternal Consent: Children's data is processed based on the verifiable consent of the mom who creates and manages the child's profile
• Legitimate Uses: Certain processing is necessary for providing the services you have requested, ensuring platform safety, and complying with legal obligations

4. Children's Privacy

4.1. TinySteps is designed for adult moms (18 years and older) and is not directed at children. We do not knowingly collect personal data directly from children. Children do not create accounts, log in, or independently access any feature of the App.

4.2. Children's information (name, age, school, interests) is entered solely by the mom to facilitate age-appropriate playdates and activity matching. This data is controlled by the mom and can be edited or deleted at any time through the App.

4.3. If we become aware that we have inadvertently collected personal data from a child without appropriate consent, we will take steps to delete that data promptly.

5. Data Storage & Security

5.1. Your data is stored on servers located in the AWS Asia Pacific (Mumbai) ap-south-1 region within India.

5.2. We implement reasonable security practices and procedures as required under the SPDI Rules, 2011, including:

• Encrypted data transmission (HTTPS/TLS)
• Database encryption at rest (AWS RDS encryption)
• Role-based access control for internal systems
• JWT-based authentication with short-lived tokens (15-minute access tokens)
• Rate limiting to prevent abuse
• Malware scanning of all uploaded media

5.3. While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Sharing

We do NOT sell your personal data. We share data only in the following limited circumstances:

6.1. Third-Party Service Providers

• Firebase (Google): Phone number for OTP authentication; FCM token for push notifications
• Google Maps Platform: Location search queries and coordinates for place autocomplete and geocoding
• PostHog: Anonymised usage events, session replay data, and crash reports for product analytics
• Amazon Web Services: All data is hosted on AWS infrastructure (RDS, S3, ElastiCache, CloudFront, Lambda)

These providers process data on our behalf and are contractually obligated to handle data in accordance with applicable data protection laws.

6.2. Other Users

Your profile information, children's profiles, and activity (playdates, events, reviews) are visible to other users based on your privacy settings. You control this visibility through the Privacy & Visibility settings in the App.

6.3. Business Accounts

When you interact with a business listing (view, call, follow, RSVP to events), we generate aggregated lead analytics for that business. Your individual identity is disclosed to the business only through actions you initiate (e.g. sending a direct message, writing a review).

6.4. Law Enforcement

We may disclose your data if required by law, court order, or lawful request from a government authority under Indian law.

7. Data Retention

• Account data: Retained until you delete your account. Upon deletion, data is removed from public access immediately and permanently purged within 30 days, except where retention is required by law
• Messages: Retained until account deletion or conversation deletion
• Notifications: Automatically deleted after 30 days
• Ignored connection requests: Automatically expired after 30 days
• Analytics data: Retained per PostHog's data retention policy
• Voucher data: Retained for the campaign period plus 30 days
• Media files: Deleted when removed by user or upon account deletion; files on storage are permanently purged within 30 days

8. Account Deletion

8.1. You can delete your account at any time from within the App: Profile → Settings → Delete Account. You will be asked to confirm by typing "DELETE".

8.2. Upon deletion, the following data is removed:

• Your profile and your children's profiles
• All connections, pending requests, and blocks
• Messages and conversation history
• Events you created and playdate requests
• Reviews you authored
• All uploaded photos and media
• Push notification tokens and device registrations

8.3. Data is removed from public view immediately and permanently purged from our servers within 30 days. Certain data may be retained longer if required by law or for legitimate business purposes (e.g. fraud prevention, legal claims).

8.4. You may also request account deletion by emailing support@tinysteps.social with the phone number associated with your account. We will process the request within 7 business days.

9. Your Rights

Under the DPDP Act, 2023 and SPDI Rules, 2011, you have the right to:

• Access: Request a summary of your personal data and how it is processed
• Correction: Update or correct inaccurate personal data through your profile settings or by contacting us
• Erasure: Delete your account and all associated data at any time through the App or by emailing us
• Withdraw Consent: Withdraw your consent at any time. Note that withdrawing consent may limit your ability to use the App
• Grievance Redressal: Lodge a complaint with our Grievance Officer or with the Data Protection Board of India

To exercise any of these rights, please contact us at support@tinysteps.social.

10. Privacy Controls in the App

TinySteps provides the following in-app privacy controls:

• Profile Visibility: Public, Connections Only, or Private
• Direct Message Privacy: Everyone or Connections Only
• Field-Level Privacy: Toggle visibility of address, date of birth, phone number, and email individually
• Blocking: Block any user to prevent them from seeing your profile or contacting you
• Account Deletion: Delete your account and all data from within the App at any time

11. Sensitive Personal Data (SPDI Rules)

Under the SPDI Rules, 2011, "sensitive personal data" includes passwords, financial information, health data, sexual orientation, and biometric data.

TinySteps collects the following that may qualify as sensitive personal data:

• Phone number: Used for authentication (classified as personal information)
• UPI ID: Collected from business accounts for payment settlement

We do not collect passwords (authentication is OTP-based), biometric data, health records, or sexual orientation data.

12. Cross-Border Data Transfer

Your primary data is stored in India (AWS Mumbai region). However, certain third-party services may process data outside India:

• Firebase Authentication and FCM (Google servers)
• PostHog analytics (US-based servers)
• Google Maps Platform (Google servers)

Such transfers are carried out in compliance with the DPDP Act, 2023 and applicable rules regarding cross-border data transfers. We ensure that adequate data protection standards are maintained by these service providers.

13. Cookies & Tracking Technologies

As a mobile application, TinySteps does not use browser cookies. We use the following tracking mechanisms:

• PostHog SDK for event tracking and session replay
• Firebase SDK for authentication state and push notification tokens
• Local device storage (AsyncStorage) for authentication tokens and app preferences

14. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, we have appointed a Grievance Officer:

Grievance Officer
MINTech Innovations Private Limited
Plot No 2, Prime Anmol, Apartment Gorewada,
Katolroad, Nagpur - 440013, Maharashtra, India
Email: support@tinysteps.social

We will acknowledge your grievance within 24 hours and resolve it within 15 days of receipt, as required under applicable law.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective Date" at the top and notify you through the App. Your continued use after changes are posted constitutes acceptance of the revised Policy.

16. Contact Us

For any questions or concerns regarding this Privacy Policy or your personal data, please contact:

MINTech Innovations Private Limited
Plot No 2, Prime Anmol, Apartment Gorewada,
Katolroad, Nagpur - 440013, Maharashtra, India
Email: support@tinysteps.social