We are committed to protecting reader privacy. This policy describes the personal data we collect, how we use it, and the rights you have under India's Digital Personal Data Protection Act 2023 (DPDP) and other applicable laws.
#1. Data we collect
- Account data: email, username, password hash, locale preference, edition preference.
- Authentication metadata: IP at sign-in, device user-agent summary, login outcomes, trusted-device cookie status.
- Reading activity: articles you view (aggregated), saved stories, topic follows, comment history.
- Subscriptions: newsletter opt-ins, push subscriptions, ePaper edition preferences.
- Performance signals: sampled page-load timings (TTFB, LCP, CLS, INP). No PII in these beacons.
- Cookies: session (HttpOnly + SameSite=Lax + Secure on HTTPS), DPDP consent, trusted-device (signed), edition preference.
#2. How we use your data
- Authenticating your account and securing it against fraud.
- Delivering personalised content (saved stories, topic follows, edition homepage).
- Sending operational emails (resets, security alerts).
- Sending newsletter and breaking news alerts ONLY when opted in.
- Measuring aggregate performance to improve experience.
- Complying with IT Rules 2025 and DPDP Act 2023.
#3. Your rights under the DPDP Act 2023
Under the Act, you have the right to:
- Access: request a summary of personal data we hold.
- Correction: ask us to correct inaccurate data.
- Erasure: request deletion (subject to retention required for legal compliance).
- Withdraw consent: at any time via account settings.
- Grievance redressal: escalate to our Grievance Officer or, if unresolved, to the Data Protection Board of India.
Grievance Officer
Configure DPDP_GRIEVANCE_NAME / EMAIL / PHONE env vars before production deploy. See Standalone DPDP notice for full grievance process.
#4. Data retention
- Audit log entries: 12 months.
- Comment content with author rotated to "deleted user" on account deletion.
- Anonymised reading-activity rollups indefinitely.
- Raw performance beacons pruned within 7 days; aggregates retained 90 days.
#5. Third parties
- Email delivery (transactional + newsletter).
- CDN / hosting / DDoS protection.
- Bot protection (Cloudflare Turnstile).
- Observability + error reporting (aggregated only).
We do not sell personal data. We do not share with advertisers beyond aggregated audience signals.
#6. Security
- Passwords with bcrypt / Argon2 + per-user salts. Rehashed on cost upgrade.
- HttpOnly + SameSite session cookies. Secure in production.
- Strict CSP with per-request nonces.
- HSTS with includeSubDomains + preload.
- Two-tier auth rate limits (IP + email-target).
- HMAC-signed trusted-device cookie.
#7. Children
This site is not directed at children under 18. We do not knowingly collect personal data from minors. Contact the Grievance Officer for prompt erasure.
#8. Changes to this policy
We will notify reader account holders by email when material changes are made and require re-acknowledgement of the DPDP consent banner. Past versions tracked in our git history.
