Privacy policy

This privacy policy explains what data SecurePawnSystems ("we", "our", "the app") collects, why we collect it, and how it is protected. The short version: we cannot read your customers' data. We do not want to. The longer version follows.

1. Who we are

SecurePawnSystems is operated by Naveen Kumawat (Proprietor), based at Perumalla Palli, Tirupati, Andhra Pradesh, India. Contact: naveenkumawat756@gmail.com · WhatsApp +91 75696 19441.

2. What we collect

2.1 Data that reaches our servers

• Mobile number — used for OTP-based login and for identifying your account. Required.
• OTP codes — stored temporarily (hashed) and destroyed after use or expiry.
• Session tokens — opaque tokens that authenticate your device. Revocable at any time from the app.
• Trial / licence status — start date, expiry, renewals.
• Payment records — order IDs and payment IDs returned by Razorpay; we never see your card or UPI details. Razorpay's own privacy policy applies to those.
• Server logs — IP address, request timestamp, and endpoint path, kept for security and abuse-prevention for up to 30 days.

2.2 Data that stays on your device

Every customer record — name, address, mobile number, item description, loan amount, interest rate — is encrypted with AES-256-GCM on your device, using a key derived from your password. The password is never transmitted, stored, or backed up by us.

We literally cannot decrypt your customer records. If you forget your password and your 16-word recovery phrase, the data is mathematically unrecoverable — by anyone, including us.

2.3 Optional Google Drive backup

If you enable Google Drive backup, an encrypted copy of your records is uploaded to a folder named PawnBrokerBackups in your own Google Drive. We never see this file or its contents. We use the drive.file OAuth scope, which means the app can only see files it created — never the rest of your Drive. You can revoke this access any time from your Google Account permissions page.

3. Why we collect what we do

• Mobile number + OTP — to verify it is really you signing in, and to enforce one device per account.
• Trial / licence / payment records — to provide and renew the service you paid for, and to issue receipts.
• Logs — to investigate abuse, fraud, and outages.

We never sell or rent your data. We never use it for advertising.

4. Third-party services

• Razorpay — handles payment processing. We pass your order amount; Razorpay collects card / UPI / netbanking details directly. Their privacy policy: razorpay.com/privacy.
• MSG91 — delivers OTP and licence-key notifications via WhatsApp / SMS. They receive your phone number and the message text.
• Supabase — our database hosting provider. Customer records do not reach Supabase; only the account/licence data described in section 2.1 is stored there.
• Railway — runs our backend server.
• Google — provides Drive storage for backups (only if you opt in).

5. Data retention

• Account and licence records: kept for as long as your account is active, plus 6 years for tax/legal compliance.
• Server logs: 30 days.
• Used / expired OTPs: deleted within 24 hours.
• Account deletion: write to us and we will delete your account and associated server-side records (except records we must retain for tax/legal reasons) within 30 days.

6. Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct it if it's wrong.
• Delete it (subject to tax/legal retention).
• Withdraw consent for non-essential processing.

Mail us at naveenkumawat756@gmail.com and we will respond within 7 working days.

7. Security

• All server traffic is HTTPS / TLS-encrypted.
• Customer records are AES-256-GCM encrypted on-device. The encryption key is derived from your password via PBKDF2 with 100,000 iterations and a per-device random salt.
• Passwords are never stored, transmitted, or backed up.
• Brute-force attempts on the app are rate-limited with an escalating lockout (5 wrong = 60s, 10 = 5min, 15 = 30min, 20 = 24h).
• Refresh-token rotation with reuse detection — a stolen token triggers session revocation as soon as a duplicate is presented.

8. Children

The service is intended for adult business owners. We do not knowingly collect data from anyone under 18.

9. Changes

We may update this policy. Material changes will be notified via the app or by email. The "Last updated" date at the top reflects the most recent revision.

10. Contact