StatusLoop
HephaTech / StatusLoop
← Back home

Privacy Policy.

Effective: [Effective date]  ·  Last updated: [Effective date]  ·  Applies to: the StatusLoop website (statusloop.hephatech.in) and the StatusLoop mobile app

1. Who we are

This Privacy Policy explains how HephaTech ("we", "us", "our"), through its product StatusLoop, collects, uses, stores, and protects personal data of visitors and users of the StatusLoop website at statusloop.hephatech.in and the StatusLoop mobile app (the "App").

StatusLoop is an anonymous-by-design quiz app: there is no email, phone, or social sign-in. Sessions are tied to an anonymous identifier generated on your device. HephaTech is the Data Fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") for the limited categories of data described below.

Registered office: [Registered address], India.

2. Scope & legal basis

This policy is issued in compliance with:

  • The Digital Personal Data Protection Act, 2023 (DPDP Act) and any rules notified under it
  • The Information Technology Act, 2000 ("IT Act") and the SPDI Rules, 2011
  • The Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020 to the extent applicable

We process the small amount of personal-ish data we hold on the lawful basis of your continued use of the App (deemed consent under DPDP §6) and legitimate uses for security, abuse prevention, and operational logging (DPDP §7).

3. What the website collects

The marketing website at statusloop.hephatech.in collects almost nothing:

  • Server logs via our hosting provider (Vercel): your IP address, user-agent, requested URL, referrer, and timestamp — used for delivery, security, and abuse prevention
  • Service-worker cache: the website registers a service worker (/sw.js) so it works offline. The cache lives entirely in your browser and contains the website's own static files only

The website has no contact form, sets no cookies, runs no analytics, and asks for no personal information.

4. What the StatusLoop app collects

4.1 Device identifier (anonymous)

On first launch, the App generates a random identifier and stores it in your device's local storage (statusloop-user). This identifier is not derived from any device hardware ID, advertising ID, or other persistent platform identifier — it is a random string we created. We use it to keep your streak, match results to your past creations, and reconstruct chains across friends.

You can reset this identifier at any time by reinstalling the App or clearing local storage from Settings → Clear History.

4.2 Optional profile

  • Handle: an optional display name you choose. Defaults to none. Visible only on cards you choose to share.
  • Locale: the device language setting, used only to choose appropriate pack content.

4.3 Quiz activity

  • The pack you took (pack_id) and its title
  • Timestamps for when you started and finished each pack
  • Your result for that pack — title, subtitle, score, traits, color scheme — stored in the creations table on Supabase
  • Aggregate counters: streak, share count, chain count

4.4 Sharing activity

  • The platform you shared to (Instagram / Snapchat / WhatsApp / Telegram), recorded in the share_links table
  • A short referral code (refCode) and a share-link ID (shareLinkId) which we attach to deep links so we can reconstruct chains when a friend opens your link — see §7 below

4.5 Analytics events

We send the following event names to PostHog with your anonymous device ID and the listed properties:

  • pack_viewed, creation_started, creation_completed — pack ID, score, result type
  • share_clicked, share_completed_hint — channel, pack ID
  • link_opened, install_attributed — refCode, shareLinkId
  • pack_revisited — pack ID

PostHog does not receive any name, email, phone, photo, contact, or other personal identifier.

4.6 Push-notification tokens

If you allow push notifications, the App registers an Expo push token with our backend so we can send streak nudges and weekly reminders. The token is invalidated when you uninstall.

4.7 What the App does not collect

  • No name, email, phone number, photograph, or social profile (we have no auth)
  • No location, GPS, or geofencing data
  • No camera, photo-library, microphone, or contacts access
  • No advertising ID or hardware identifier
  • No payment information (the App is free)
  • No biometric or sensitive personal data

5. Why we collect it

CategoryPurposeLawful basis
Device identifier, handle, localeKeeping your streak, matching results to your past quizzes, identifying your sharesDeemed consent (DPDP §6) — provision of the service you requested
Quiz activity, sharing activityShowing your stats; powering chain tracking; trending and discoveryDeemed consent (DPDP §6)
PostHog event telemetryUnderstanding which packs are popular, where users drop off, in aggregateLegitimate use (DPDP §7) — service improvement
Server logsOperational delivery, security, rate-limitingLegitimate use (DPDP §7)
Push tokensSending streak nudges only if you have opted in to notificationsConsent (DPDP §6)

6. Sharing & disclosure

We share data only with the following Data Processors, each bound to use it strictly per our instructions:

Native share sheets: when you tap a share button, the App hands the result card off to your device's native share dialog. The destination platform (Instagram, Snapchat, WhatsApp, Telegram, etc.) is governed by its own privacy policy. We send no data directly to those platforms. If you pass the card through your phone's system share menu to other apps, those apps are also governed by their own terms.

We do not sell, rent, or share data with advertisers or data brokers. We have no advertising SDKs of any kind.

We may disclose data if required to do so by law, by court order, or by a competent authority issuing a lawful direction under the IT Act, the DPDP Act, or the Code of Criminal Procedure.

7. Share links & chain tracking

When you share a result card, the App generates a deep link of the form https://statusloop.app/p/{packSlug}?ref={refCode}&sl={shareLinkId}. When a friend opens that link:

  • Their App reads the shareLinkId and records that the link was opened
  • If they install or take the same pack, the App records that they came from your share
  • Your App can then show "X friends took this pack" and reconstruct your chain

We do not reveal any of the following to either party: the friend's identity, contact, IP, device, or location. Both you and your friend remain anonymous. Only the linkage "this share led to that take" is recorded. If you do not want chain tracking, do not use the share buttons in the App.

8. Cross-border transfers

The Data Processors listed above may host or process data on servers outside India (Supabase, PostHog, Expo, and Vercel operate primarily from the United States). Such transfers are necessary for the service and are protected by the contractual obligations those vendors are subject to. The Indian government may, by notification under DPDP §16, restrict transfers to specified countries; we will comply with any such notification.

9. How long we keep data

  • Anonymous device records: retained while the device-bound account is active. Cleared from the server 180 days after the last activity if you have not used the App in that time
  • Creations and share links: retained for the same period as the device account
  • PostHog events: retained per PostHog's default retention (typically 12 months) and then aggregated/deleted
  • Server logs: up to 90 days at the hosting layer, then purged
  • Local storage on your device: cleared when you tap "Clear History" in the App or uninstall

Because there is no account, there is currently no in-App "delete server data" action — you can clear your local data and your server-side records will age out under the schedule above. We are working on adding a one-tap erasure flow; until then, write to the Grievance Officer (§14) and we will erase your records within 30 days.

10. How we secure data

  • HTTPS / TLS 1.2+ for everything; strict HSTS, CSP, X-Frame-Options DENY on the website
  • Supabase row-level security policies on every table
  • Anonymous device identifier — no email/phone/contact to leak
  • No advertising or fingerprinting SDKs
  • Secrets (Supabase keys, PostHog keys) injected at build time via EAS secrets, never embedded in the source bundle

11. Your rights as a Data Principal

Under the DPDP Act, you have the right to:

  • Access a summary of the data tied to your anonymous device ID. Tell us your device ID (Settings → About) and we will return what we have
  • Correct inaccurate data — though most of what we hold is auto-generated, your handle and locale are user-editable in Settings
  • Erase your records. Until we ship in-App erasure, write to the Grievance Officer with your device ID
  • Withdraw consent by uninstalling the App and asking us to erase your records
  • Grievance redressal — see §14
  • Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity (DPDP §14)

We will respond to any DPDP request within 30 days. Email hello@hephatech.in with the subject "DPDP Request — StatusLoop".

12. Children

StatusLoop is not directed at children under 13 years of age, and we do not knowingly collect personal data from anyone we know to be under 13. The App content includes themes (relationships, identity, pop culture) better suited to teens and adults. Where users are between 13 and 18, we recommend parental supervision.

Where we do process the personal data of any individual under 18, we obtain verifiable parental consent in the manner prescribed under §9 of the DPDP Act.

If you believe we have collected data from a child without consent, contact hello@hephatech.in and we will delete it.

13. Data breach handling

In the event of a personal-data breach, we will notify the Data Protection Board of India and each affected Data Principal as required under §8(6) of the DPDP Act, with sufficient detail and within the timelines prescribed by the Rules.

14. Grievance redressal

For any complaint about how your data has been handled, you may contact our Grievance Officer:

  • Name: [Grievance Officer name]
  • Email: [Grievance Officer email]
  • Phone: [Grievance Officer phone]
  • Address: [Registered address]

The Grievance Officer will acknowledge your complaint within 72 hours and resolve it within 30 days. If you remain dissatisfied, you may escalate to the Data Protection Board of India.

15. Changes

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be flagged in-App and on the marketing site for 30 days before they take effect.

16. Contact

For any privacy-related question, email hello@hephatech.in or write to the Grievance Officer above.

This document is a good-faith draft prepared in line with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. We recommend obtaining independent legal advice before relying on it for production.