Privacy Policy

MudraGen ("we," "us," or "our") is committed to protecting the privacy and security of your personal and business data. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our website, AI-powered project report generation services, user accounts, and generated documents.

This policy applies to all users of MudraGen's platform and complies with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000/2008 (as amended), RBI Master Directions on Digital Lending (where applicable), and other relevant Indian laws and regulations.

By using MudraGen, you consent to the collection and use of your data as described in this policy. If you do not agree, please do not use our services.

Identity & Contact Information

• Full name, father's/husband's name, date of birth, gender
• Email address, mobile/phone number
• Residential and permanent address
• Aadhaar number, PAN number (if provided voluntarily for report generation — masked in storage)
• Business name, GSTIN, Udyam Registration number

Financial & Business Information

• Loan category (Shishu/Kishore/Tarun), requested loan amount
• Business type, activity type, project cost estimates
• Projected turnover, capacity details, operational information
• Bank details entered for report generation (processed but not stored long-term)

Technical & Usage Data

• IP address, browser type, device information, operating system
• Pages visited, time spent, clickstream data (via analytics)
• Cookies and similar identifiers (see "Cookies" section)

MudraGen offers sign-in via Google (using Firebase Authentication). This section describes how we handle data received from Google, in accordance with the Google API Services User Data Policy.

3a. Data Accessed

When you sign in with Google, we access only the following data from your Google account:

• Display name associated with your Google account
• Email address associated with your Google account
• Profile photo URL

MudraGen requests only the default Google Sign-In scopes (basic profile and email). We do not access Google Drive, Gmail, Google Calendar, Google Contacts, or any other Google service or API beyond basic authentication.

3b. How We Use Google User Data

• Your Google display name and email address are used to create and maintain your MudraGen user account
• Your email address serves as your unique login identifier and is used for essential service communications (e.g., email verification, account notifications)
• Your email address may appear as the applicant contact email in AI-generated loan project reports that you request — this is part of the core service you use
• Your Google profile photo URL may be displayed alongside feedback and ratings you submit on the platform

3c. Data Sharing

• We do not sell, rent, or trade your Google user data to any third party
• Your Google email address may be included in data sent to our AI service provider (Anthropic/Claude) solely for the purpose of generating your requested loan project report. Anthropic processes this data under a data processing agreement and does not use it for model training
• Your Google user data is stored on Google Cloud/Firebase infrastructure under Google's enterprise data protection terms
• No other third parties receive your Google user data unless we are legally compelled to disclose it

3d. Data Retention & Deletion

• Your Google display name and email address are retained in your user profile for as long as your account is active
• You can delete your account at any time from the account menu in your Dashboard. Upon deletion: your user profile, all projects, generated reports, and newsletter subscription are permanently removed; feedback records are anonymised; your email address and project generation count are archived in a restricted collection solely for abuse prevention
• To request complete erasure of all data including abuse-prevention archives, email contact@mudragen.com
• Google OAuth access tokens are not stored by MudraGen. We use only Firebase-issued session cookies (5-day expiry) and short-lived Firebase ID tokens (1-hour expiry) for authentication

3e. Data Storage & Security

• Google user data is stored in Google Cloud Firestore with encryption at rest (AES-256) and encryption in transit (TLS/HTTPS)
• Authentication sessions use HTTP-only, secure, SameSite cookies to prevent cross-site attacks
• Access to user data is restricted by Firebase Security Rules and server-side role-based access controls
• We conduct regular dependency audits and security reviews to maintain data protection standards

• Directly from you: When you register, fill in forms, generate project reports, or contact us
• Automatically: Through cookies, analytics tools (Google Analytics 4), and server logs when you browse our site
• Third parties: Authentication providers (Firebase Auth), payment processors (Razorpay — we do not store card/payment instrument data)

We process your data for the following purposes:

• Service delivery: To generate project reports, business plans, and financial projections for your Mudra loan application
• Account management: To create and maintain your user account, authenticate sessions, and manage your projects
• Communication: To send email verifications, service updates, and (with your opt-in consent) marketing communications
• Platform improvement: To analyse usage patterns, improve our AI models, and enhance user experience
• Legal compliance: To comply with applicable laws, regulations, and government requests
• Consent-based marketing: Only with your explicit opt-in consent, for newsletters and promotional content

Under the DPDP Act 2023, our lawful bases include: your explicit consent, legitimate purpose for service delivery, and compliance with legal obligations.

We do not sell your personal data. We may share data with:

• Service processors: Cloud infrastructure providers (Google Cloud/Firebase), AI service providers (Anthropic, Google) — for processing only, bound by data protection agreements
• Legal authorities: Government bodies, regulators, or law enforcement only when legally compelled by court order, statutory requirement, or lawful process
• Professional advisors: Auditors, legal counsel — under strict confidentiality obligations

We never share your data with banks or financial institutions for loan processing unless you explicitly request and authorise such sharing.

We retain your personal data for as long as your account is active and for a statutory retention period thereafter (5–7 years for financial records as required under Indian tax and companies law). After this period, data is securely anonymised or permanently deleted.

• Account data: retained while account is active + 30 days after deletion request
• Generated reports: retained for the duration of your account
• Financial input data: processed for report generation, not stored beyond the generated document
• Analytics data: retained per Google Analytics default retention settings

Under the Digital Personal Data Protection Act, 2023, you have the right to:

• Access: Request a summary of your personal data we hold and how it is processed
• Correction: Request correction of inaccurate or incomplete personal data
• Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Withdraw consent: Withdraw previously given consent at any time; this does not affect the lawfulness of processing before withdrawal
• Grievance redressal: Lodge a complaint with our Grievance Officer or the Data Protection Board of India
• Nominate: Nominate a person to exercise your rights in case of death or incapacity

To exercise any of these rights, please email contact@mudragen.com with your request details. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect your data:

• Encryption in transit (TLS/HTTPS) and at rest (AES-256 via cloud provider)
• Firebase Authentication with secure session management
• Role-based access controls and principle of least privilege
• Regular security reviews and dependency audits
• Sensitive data masking (e.g., Aadhaar numbers displayed as XXXX XXXX 1234)

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to responding promptly to any identified vulnerabilities.

We use the following types of cookies:

• Essential cookies: Session authentication cookie (__session) — required for the platform to function. Cannot be disabled.
• Analytics cookies: Google Analytics 4 — to understand usage patterns and improve the platform. You may opt out via browser settings or Google Analytics opt-out browser add-on.
• Marketing cookies: Only set with your explicit opt-in consent for personalised communications.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

We may ask for anonymous feedback after you use our service (e.g., after downloading a generated report) to improve quality and user experience. Participation is entirely optional — you can skip or close the feedback prompt at any time.

• Feedback consists of a star rating (1–5) and an optional free-text comment
• Feedback is stored without personal identifiers unless you voluntarily include them in the comment field
• We associate feedback with your user account and project ID solely to prevent duplicate prompts — this data is not used for profiling
• Feedback data is used only for product improvement and is never shared with third parties

Your data is primarily stored and processed in India using Google Cloud infrastructure. In some cases, data may be processed outside India (e.g., by AI service providers for report generation, CDN delivery). Where cross-border transfers occur, we ensure appropriate safeguards are in place, including contractual data protection clauses, in compliance with the DPDP Act and any applicable transfer regulations notified by the Central Government.

MudraGen is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18 without verifiable parental or guardian consent, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data, please contact us at contact@mudragen.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via email to registered users and/or a prominent notice on our website. The "Last Updated" date at the top of this page indicates the most recent revision. We encourage you to review this policy periodically.

In accordance with the DPDP Act 2023 and IT Act 2000, we have appointed a Grievance Officer:

If you are unsatisfied with our response, you may escalate your complaint to the Data Protection Board of India as constituted under the DPDP Act 2023.

To exercise any of your rights under the DPDP Act — including data access, correction, erasure, restriction of processing, data portability, or withdrawal of consent — or to file a grievance, please contact our Grievance Officer directly via email:

We do not provide an online form for privacy requests. All requests must be sent via email to ensure proper tracking and response.