Privacy Policy

Mitwa (“we”, “our”, “us”) is an AI-powered personal finance management platform built for India. This Privacy Policy explains how we collect, use, store, share, and protect your personal and financial information when you use Mitwa (“the Service”).

By creating an account or using the Service, you consent to the practices described in this Policy. This Policy is compliant with the Digital Personal Data Protection (DPDP) Act, 2023 and applicable Rules thereunder.

2.1 Personal Information

• Full name, username, email address, phone number
• Date of birth, gender, city, country
• Employment type (salaried, self-employed, freelancer, student, unemployed)
• Profile avatar (if uploaded)
• Marital status and dependent information (if provided voluntarily)

2.2 Financial Information

We collect financial information in two ways: (1) data you enter manually into the Service, and (2) data you choose to share via RBI's Account Aggregator (AA) framework, where you grant time-limited consent through your bank or AA participant — processed by our AA technology partner (e.g. Setu) as a licensed Account Aggregator. We never ask for or store your net banking passwords, UPI PINs, or card CVVs.

Depending on how you use Mitwa, this may include:

• Bank account details (bank name, account identifiers, IFSC where applicable, balance, account type)
• AA consent identifiers and sync metadata needed to refresh linked accounts
• Credit card details you provide (card name, bank, credit limit, outstanding balance, last 4 digits, statement date)
• Loan details (loan type, lender, outstanding amount, EMI, interest rate, tenure)
• Investment portfolio details (type, invested amount, current value)
• Asset details (real estate, vehicles, gold, cash and their values)
• Transaction history (amount, category, payment method, date, description)
• Financial goals, income, monthly expenses, savings targets
• Receivables and payables (money owed to or by you)

2.3 Mitwa AI interaction data

• Chat messages sent to and received from Mitwa AI
• Your financial context (net worth, income, expenses, EMI burden) injected into prompts for Mitwa AI
• Mitwa AI–generated financial reports you request

Note: Your financial context and chat messages are transmitted to Anthropic (Claude AI) for processing. Please see Section 5 for details on third-party data sharing.

2.4 Payment Data

• Subscription plan (Free, Pro, Premium) and billing cycle
• Razorpay order ID, payment ID (we do not store raw card numbers or CVVs)
• Payment status and transaction history

2.5 Technical & Usage Data

• IP address, browser type, device information
• Pages visited and features used within the app
• Session tokens (stored in secure HTTP-only cookies via NextAuth.js)
• Error logs and diagnostic data

We use your data to:

• Provide, operate, and improve the Mitwa Service
• Generate Mitwa AI insights and reports tailored to your financial situation
• Send email verification codes, security alerts, and product notifications via Resend
• Process subscription payments via Razorpay
• Calculate your net worth, financial health score, and spending analytics
• Enforce rate limits and subscription plan restrictions
• Detect and prevent fraud or unauthorized access
• Comply with legal obligations under Indian law

We do not use your financial data to train AI models. We do not sell your personal data to third parties. We do not use your data for advertising or profiling purposes beyond the Service.

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following bases:

• Consent: You provide explicit consent during account registration and, where applicable, separate consent when linking accounts via Account Aggregator.
• Contract performance: To deliver the services you have signed up for, including Mitwa AI chat and reports.
• Legitimate interests: To maintain the security and integrity of the Service, and to prevent fraud.
• Legal obligation: To comply with applicable Indian laws and regulations.

You may withdraw consent at any time by deleting your account. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

We share your data with the following third-party service providers who process data on our behalf:

We do not share your data with any other third parties without your explicit consent, except where required by law or a court order issued by a competent Indian authority.

• All data is stored on MongoDB Atlas servers. Data at rest is encrypted by MongoDB Atlas.
• Passwords are hashed using bcryptjs (work factor 10) and are never stored in plain text.
• Payment signatures are verified using HMAC-SHA256 to prevent tampering.
• Sessions are managed via secure JWT tokens through NextAuth.js.
• All data is transmitted over HTTPS (TLS 1.2+).

While we implement industry-standard security measures, no system is 100% secure. In the event of a data breach that is likely to result in risk to your rights, we will notify affected users in accordance with the DPDP Act, 2023.

• Active accounts: We retain your data for as long as your account is active.
• Deleted accounts: Upon account deletion, your personal and financial data will be permanently deleted within 30 days, except where retention is required by law.
• Payment records: Transaction records may be retained for up to 7 years for tax and financial compliance purposes.
• Mitwa AI chat history: Conversation logs are retained for the duration of your account. You can delete individual sessions from within the app.
• Email verification codes: OTPs expire after 1 hour and are deleted after use.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to access: Request a copy of the personal data we hold about you.
• Right to correction: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data (“right to be forgotten”). This will result in account termination.
• Right to grievance redressal: Lodge a complaint with our Grievance Officer (see Section 11) if you believe your rights have been violated.
• Right to nominate: Nominate another individual to exercise rights on your behalf in the event of death or incapacity.

To exercise access or portability, use Settings → Profile → Export Data. To request erasure, use Settings → Profile → Delete Account. You may also contact us at privacy@mitwaai.com. We will respond within 30 days as required under the DPDP Act.

Mitwa uses essential cookies and local storage for authentication (session tokens) and user preferences (e.g., last active tab, minimized chat state). Where enabled, we may use privacy-focused product analytics (such as PostHog) to measure feature usage — not for third-party advertising. We do not sell your data to advertisers.

You can disable cookies in your browser settings, but this will prevent you from logging in to the Service.

Mitwa is not intended for users under the age of 18. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided us with personal data, please contact us immediately at privacy@mitwaai.com and we will delete it promptly.

In accordance with the DPDP Act, 2023, we have designated a Grievance Officer:

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice within the app at least 7 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable Rules. Any disputes shall be subject to the exclusive jurisdiction of courts in India.