Privacy Policy

1. The short version

• We do not sell your data, ever.
• We do not run third-party advertising trackers.
• Phone numbers are stored only as one-way salted hashes, we cannot read them back.
• Photos you upload are converted to WebP, EXIF stripped, and stored on Supabase Storage.
• You can ask us to delete your contributions at any time by emailing namaste@badamangal.com.

2. What we collect

2.1 When you list a bhandara

• The bhandara details you submit (name, address, area, dates, menu, capacity, organiser name).
• An organiser phone number, used solely for OTP verification at submission time and to let the BadaMangal team reach out privately if a listing needs clarification. The raw number is never shown publicly on the site; only a salted, one-way hash of it is kept in our database for verification lookups.
• Optional UPI ID, used to receive sponsorship contributions. Not displayed publicly unless you explicitly opt in to a public sponsorship card.
• Optional photograph(s) of the bhandara.

2.2 When you spot a bhandara

• The location pin you drop or share via your browser's geolocation.
• An optional reporter name (first name only is fine), optional caption, and optional photo.
• If you choose to verify by phone, a salted hash of your number; the raw number is never stored.

2.3 When you post in the live feed

• Your chosen display name and optional photo.
• The text of your post.
• A salted hash of your phone number (used for moderation and rate-limiting).

2.4 When you fill the contact form

• Your name, email, optional phone, optional subject, and the message you send us.

2.5 Automatic technical data (every visit)

• A salted hash of your IP address (used to rate-limit submissions and detect abuse). The raw IP is never stored.
• The first ~240 characters of your browser's user-agent string (used to debug submission issues).
• Standard server logs handled by our hosting provider; these are short-lived and used for operational purposes.

3. Cookies and local storage

BadaMangal uses very few client-side storage items:

• Language preference (cookie), remembers whether you chose Hindi or English so we can show the right copy on your next visit. No tracking value.
• Phone-verification token (cookie, signed), set after you complete OTP verification on the listing or post flows so you don't have to re-verify on every submission. Contains only the hash, an expiry, and a signature; no raw phone number.
• Session-storage flags (browser-only, never sent to us) , small UI state like “you dismissed the activity ticker” so it doesn't come back during the same browser session.

4. Analytics

We use Google Analytics 4 to understand how the site is used in aggregate (page views, country, device class, which CTAs are clicked). GA4 sets its own first-party cookies and processes data per Google's privacy terms. We do not enable advertising features, remarketing, or Google Signals on this property. If you would prefer not to be counted, any modern browser's tracking-protection or an ad-blocker will prevent the GA4 script from loading.

5. Where your data lives

• Database, Supabase (managed Postgres, currently in the Asia-Pacific Singapore region).
• Photo storage, Supabase Storage in the same region. Photos are served via a public CDN URL because the listings page is public.
• Hosting, Netlify, edge-cached globally; only static assets and pre-rendered pages travel through their network. Server-rendered pages and API routes execute as serverless functions in the closest available region.
• Email, Contact-form messages are stored in our Supabase database; we may also receive a copy by email at namaste@badamangal.com.

6. How long we keep things

• Bhandara listings, kept for the lifetime of the season they refer to, plus one year for archival reference. After that, they are either anonymised (organiser name + phone hash removed) or deleted.
• Spots, auto-expire after 8 hours from a public surface. The underlying record is kept for up to 30 days for abuse analysis, then deleted.
• Posts in the live feed, kept while moderation status is “approved”; rejected or shadowed posts are purged after 90 days.
• Contact-form messages, kept for 12 months from the date sent so we can refer back during a long conversation.
• Phone-verification cookies, expire after 30 days.

7. Your rights

You may, at any time, ask us to:

• Show you what data of yours we hold.
• Correct anything that is wrong.
• Delete a specific listing, spot, post, or contact-form message you submitted.
• Delete every record we associate with a particular phone-number hash you can prove control of (e.g. by completing an OTP from that number).
• Stop receiving any further email from us.

Email namaste@badamangal.com with the subject line “Privacy request” and tell us what you'd like done. We aim to respond within 14 days.

8. Children

BadaMangal is not directed at users under the age of 18 and we do not knowingly collect data from minors. If you believe a child has submitted information to us, please contact us so we can remove it.

9. Security

We use industry-standard precautions: TLS in transit, salted hashes for identifiers, server-side validation on every submission, and per-IP rate limits on write APIs. No system is perfectly secure; if you spot a vulnerability, please write to namaste@badamangal.com before disclosing it publicly so we can fix it.

10. International transfers

Our hosting providers may move data across borders for operational reasons (caching, backups, fail-over). All such transfers are governed by the providers' standard contractual clauses, which we accept on your behalf when you contribute.

11. Changes to this policy

We may update this Privacy Policy as the site evolves. The “Last updated” date at the top of the page reflects the most recent change. Material changes will be flagged on the homepage for at least seven days.

12. Contact

Questions about your privacy on BadaMangal? Reach the team at namaste@badamangal.com or via the contact form.