Compliance

Privacy Policy

Last Updated: April 14, 2026

1. Data We Collect

When you create an account on CharchaCafe, we collect your email address, and — if you sign in with Google — your name and profile picture from Google OAuth. If you sign up with email and password instead, we collect only the email address; name and avatar can be added later from your profile. We also collect data you provide voluntarily (bio, job title, city, interests) and transaction history for billing purposes where applicable.

2. How We Use Google User Data

CharchaCafe's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

2.1 Google Meet Integration

CharchaCafe uses the Google Meet REST API to provision meeting spaces on your behalf when you host an online Charcha.

Scope requested: https://www.googleapis.com/auth/meetings.space.created

When this access is used:

  • Only when you, as the host, explicitly click "Provision Google Meet" while creating or managing an online Charcha session.
  • Access is one-time per session — we create a Meet space, store its identifier, and the scope is not re-used except to end the conference if you choose to.

What we access:

  • We create a new Google Meet space linked to your Google account.
  • We store the returned meeting code, meeting URL, and conference ID in our database so that confirmed members can join the session.

What we do NOT access:

  • We do not access your Google Calendar, Gmail, Drive, Contacts, or any other Google service.
  • We do not read, record, or store the content of your meetings.
  • We do not access Meet spaces created outside of CharchaCafe.
  • We do not access your other meetings, past or future.

Who sees the meeting link:

  • Only the host and confirmed members of that specific Charcha session can view the meeting link.
  • Meeting links are shown on the Charcha detail page for confirmed members and included in session reminder emails.

Retention and deletion:

  • The stored meeting link and conference ID are retained as long as the Charcha exists in our system.
  • When a Charcha is deleted, the associated meeting references are removed.
  • You can revoke CharchaCafe's access to your Google account at any time via Google Account Permissions. After revocation, CharchaCafe will no longer be able to provision new Meet spaces on your behalf, but existing meeting links remain valid per Google's own policies.

Limited Use compliance: We use Google user data solely to provide the meeting-provisioning feature described above. We do not transfer this data to third parties, use it for advertising, perform analytics on it, or allow humans to read it except (a) with your explicit consent, (b) for security purposes such as investigating abuse, or (c) to comply with applicable law.

3. Data Storage

Your account data, profile, and Charcha records are stored in Google Cloud Firestore. Payment data (when payments are enabled) is processed by Razorpay and never stored on CharchaCafe servers.

4. Data Protection & Security

We protect your data — including sensitive data such as Google OAuth tokens, authentication credentials, and (where applicable) payment-related identifiers — using the following mechanisms:

  • Encryption in transit: all traffic between your browser, our backend (api.charchacafe.com), and downstream services (Firebase, Razorpay, Resend, Google APIs) is encrypted using TLS 1.2+ over HTTPS. Plain HTTP is redirected to HTTPS at the edge.
  • Encryption at rest: Cloud Firestore encrypts all stored data at rest using AES-256, managed by Google Cloud. Firebase Authentication credentials are stored and salted/hashed by Firebase using its standard secure mechanisms — we never store raw passwords.
  • Google OAuth tokens: access and refresh tokens are stored in Firestore (which applies AES-256 encryption at rest, as noted above). They are scoped to the minimum permission needed — https://www.googleapis.com/auth/meetings.space.created (Google Meet space creation only) — never logged in our application logs, never sent to third parties, and revocable at any time via your Google Account Permissions. We use these tokens solely to provision Meet links for Charchas you host.
  • Payment data: all payment information is collected, processed, and stored by Razorpay (PCI-DSS compliant). CharchaCafe receives only non-sensitive metadata such as order IDs and payment status. We never store card numbers, CVVs, UPI handles, or banking credentials. Host banking details (when added for payouts) are stored in Firestore with the same at-rest encryption and access-controlled to the host who owns them.
  • Access controls: backend access to user data is gated by Firebase Authentication tokens and per-route guards. Administrative access is restricted to a small set of authorized accounts and every privileged action (suspending a user, deleting a charcha, resetting a password, viewing reports) is recorded in an immutable audit log.
  • Rate limiting & abuse protection: sensitive endpoints (account creation, charcha submission, join requests, reports) are rate-limited per user to prevent automated abuse. Reports of policy violations are reviewed by admins.
  • Data minimisation & retention: we collect only the data needed to operate the platform. Account deletion (via support@charchacafe.com) removes your profile, notifications, and Google tokens; financial records that are required for tax or refund compliance are retained per applicable law.
  • Breach response: if we discover a security incident affecting your data, we will notify affected users without undue delay via email and on this page, including the scope of the incident and the steps we're taking.

No system can guarantee absolute security, but the controls above are designed to make compromise difficult and to limit blast radius if it occurs. Vulnerability reports are welcome at support@charchacafe.com.

5. Data Sharing

We do not sell your data. We share data only with service providers essential to operating the platform:

  • Firebase / Google Cloud — hosting, authentication, and database.
  • Razorpay — payment processing (only when you make a purchase).
  • Resend — transactional and marketing email delivery.

6. Your Rights

You can:

  • View and edit your profile at any time from the Profile page.
  • Delete your account by contacting support@charchacafe.com.
  • Opt out of marketing emails via the unsubscribe link in any email or the email preferences section of your profile.
  • Revoke Google access at any time via Google Account Permissions.

7. Contact

For privacy-related questions, email support@charchacafe.com.