Privacy Policy
Last updated: June 29, 2026 · Version 2.0
1. Who we are
MatrioshkaLabs Private Limited (“MatrioshkaLabs”, “we”, “us”) builds privacy-first consumer apps and enterprise moderation infrastructure, including Hush, HushSafe, HushAI, and HushDate.
- Legal entity: MatrioshkaLabs Private Limited
- Registered address: Bengaluru, Karnataka, India
- Contact: hello@matrioshkalabs.com
2. Quick summary
This table summarizes what we collect, why, how long we keep it, and who may access it. The full legal text follows below.
| Data type | Purpose | Legal basis | Retention | Shared with |
|---|---|---|---|---|
| Account & profile | Provide services, authentication | Consent / contract | Account lifetime + 90 days | Infrastructure processors |
| Messages & UGC | Messaging, moderation, safety | Consent / legitimate interest | Per product policy; deleted on request | HushSafe (internal); no sale |
| Waitlist & contact forms | Early access, support, demos | Consent | Until unsubscribe + 12 months | Resend, Loops, Supabase |
| Usage & analytics | Improve products, security | Consent / legitimate interest | 26 months (aggregated) | PostHog, Vercel Analytics |
| Payment & billing | Enterprise subscriptions | Contract / legal obligation | 7 years (tax records) | Payment processors |
3. What data we collect
Hush
Anonymous messaging may include display handles, message content, device identifiers, and moderation metadata. We minimize identifiers and do not require legal names.
HushSafe
Enterprise customers submit content for moderation via API. We process text, media metadata, and platform-provided user IDs as a data processor on behalf of the customer.
HushAI
Chat prompts, conversation context (when cloud mode is enabled), and on-device inference logs when you opt into local processing.
HushDate
Profile preferences, compatibility signals, optional verification data, and location fuzzing coordinates — never precise GPS without explicit consent.
4. How we use your data
We use personal data only for stated purposes: operating our products, keeping users safe, improving features, communicating with you, and meeting legal obligations. We do not sell personal data.
5. Legal basis for processing
- DPDP (India): Consent, legitimate use, and legal obligations as defined under the Digital Personal Data Protection Act, 2023.
- GDPR (EU/EEA): Consent, contract performance, legitimate interests, and legal obligations where applicable.
- CCPA (California): We do not sell personal information. Rights to know and delete apply as described below.
7. Cross-border data transfers
Where data leaves India, we apply appropriate safeguards including standard contractual clauses and transfer impact assessments. We monitor DPDP government notifications on permitted destinations.
8. How long we keep your data
We retain data only as long as necessary for each purpose, then delete or anonymize it. Account data is removed within 90 days of deletion request completion unless law requires longer retention.
9. Your rights
Under DPDP (India)
- Access your personal data
- Correction of inaccurate data
- Erasure when consent is withdrawn or purpose is fulfilled
- Grievance redressal via our Grievance Officer
- Nominate another individual to exercise rights on your behalf
Under GDPR (EU/EEA)
- Access, rectification, erasure, restriction, portability, object, and withdraw consent
Under CCPA (California)
- Know, delete, opt-out of sale (we do not sell data), and non-discrimination
Exercise rights at privacy@matrioshkalabs.com.
10. Children's privacy
HushDate is for users 18+. Hush and HushAI require users to be 13+. We do not knowingly collect data from children below these thresholds. Contact us to request deletion if you believe a child has provided data.
12. Security measures
We employ encryption in transit and at rest, access controls, audit logging, and regular security reviews. No method is 100% secure; report concerns to security@matrioshkalabs.com.
13. Changes to this policy
We will notify users of material changes via email or in-app notice at least 30 days before they take effect, where required by law.
14. How to contact us
General privacy inquiries: privacy@matrioshkalabs.com
Grievance Officer (IT Rules 2021)
Name: Elena Vasquez
Entity: MatrioshkaLabs Private Limited
Email: grievance@matrioshkalabs.com
Postal address: Bengaluru, Karnataka, India
Response time: Grievances acknowledged within 24 hours and resolved within 48 hours where possible.
15. How to file a complaint
- India (DPDP): Data Protection Board of India once operational; contact our Grievance Officer first.
- EU/EEA (GDPR): Your local supervisory authority.
- California (CCPA): California Attorney General.
Version changelog
- v2.0 — June 29, 2026: Full DPDP-compliant rewrite; added summary table, Grievance Officer block, product-specific sections, and cross-border transfer details.
- v1.0 — June 1, 2026: Initial privacy policy template.
This policy is a draft for counsel review before production launch.