Privacy Policy

Last updated: April 20, 2026

Just Check ("we", "us", "our") operates the Just Check mobile application and the web application at jstchkit.navalrishi.com/app. This policy describes what data we collect, why we collect it, and the controls you have over it.

1. What we collect

Account data

• Email address — for sign-in and the one-time verification code.
• Display name — shown to other users during a session.
• Password — stored only as a one-way bcrypt hash; we never see the plain text.
• Device hardware identifier — a stable identifier provided by the OS (not a fingerprint of the hardware components). Used to bind your account to one device so a lost password alone can't be used to sign in from somewhere else.
• Firebase Cloud Messaging token — a rotating token that lets us send push notifications to your device. No message content is stored by us.

Location data

• Query location — the latitude and longitude you attach to a query. Stored server-side and retained with the session record.
• Responder location — while you have "I'm available" toggled on, your approximate position is streamed to a short-lived in-memory geo index so the matcher can find queries near you. It is not written to a location history. When you go offline (or the app is backgrounded beyond the keep-alive window) the entry is purged within minutes.

Session + transaction metadata

• Query text, type (text/photo/video), timestamps, and which two users were matched.
• Credit transactions — daily refresh grants, charges, earnings, and any refund events.
• Ratings and reports you give or receive after a session.

Operational logs

• Request logs (HTTP method, path, response code, response time), error traces, and performance counters are sent to Azure Application Insights for debugging and abuse monitoring. Access-token query strings and request bodies are not logged.

2. What we don't collect

• Message, photo, or call content. Chat messages, shared photos, voice calls, and video calls are transmitted directly between the two devices over an encrypted peer-to-peer (WebRTC) connection. Our servers only help the two devices find each other; the content never flows through us and we cannot read it, even if compelled to.
• Call recordings. We do not record calls. Any on-device recording stays on your device.
• Background location when you're offline. We stop collecting location the moment you toggle "I'm available" off.
• Browsing activity outside Just Check.
• Contacts, calendar, or media library. The app does not request access to any of these.

3. How we use your data

• To match queries with nearby responders.
• To run the credit ledger (daily refresh, charges, refunds, responder earnings).
• To send push notifications for new queries, accepted queries, and session events.
• To enforce our Terms of Service and rate-limit abuse.
• To keep the service running — error monitoring, performance tuning, and capacity planning.

4. Where the data lives

All server-side data is hosted on Microsoft Azure in the Central India region. Specifically:

• Account data, queries, sessions, ratings, reports, and credit transactions — Azure Database for PostgreSQL.
• Short-lived responder location index — Azure Cache for Redis (in-memory).
• Secrets (JWT signing key, Firebase service account) — Azure Key Vault.
• Diagnostic logs — Azure Log Analytics / Application Insights.

Session chat history, photos, and videos are stored on your own device (IndexedDB on the web, SQLite on Android). They are never uploaded to our servers.

5. Third-party services

• Firebase Cloud Messaging (Google) — delivers push notifications. We send Firebase a payload (title + short body, e.g. "New query nearby") and your FCM token; Firebase delivers it to the OS-level notification system.
• Google Maps — used on the Android app to render maps and reverse-geocode addresses. Google's privacy practices apply when you use the map.
• Microsoft Azure — our infrastructure provider (see section 4).

We do not currently use third-party analytics, advertising, or payment processors. In-app credit purchases and direct-to-bank cash-out are not yet live; when they are, this policy will be updated before we integrate any payment provider.

6. Retention

• Active accounts — kept as long as the account is active.
• Deleted accounts — when you delete your account (Profile → Settings → Delete Account in either the mobile or web app, or DELETE /api/user/account from the API), we immediately:
  • Mark the account as deleted and prevent further sign-in.
  • Scrub your email, display name, password hash, device id, refresh tokens, Firebase token, and avatar URL. The email is replaced with a non-routable placeholder (deleted-<random>@deleted.local).
  • Cancel any in-flight queries.
  • End any active or disconnected sessions you were part of.
  • Remove your responder entry from the Redis geo index.
  We keep the user row itself (with the scrubbed fields) so historical ratings and reports given by or about you remain attached to a valid foreign key. Ratings and reports are content about a session, not about you personally — once your identity is scrubbed they're effectively anonymous.
• Operational logs — retained in Azure Log Analytics for up to 30 days.

7. Your rights

• Access + portability. Email naval2sml@gmail.com and we'll send you a JSON export of the data we hold about you within 30 days.
• Correction. You can edit your display name from Profile → Edit Profile. For anything else email us.
• Deletion. Use the Delete Account button in Settings. The effect is immediate, as described in section 6.
• Object to processing / withdraw consent. Stop using the app and/or delete your account. You can also revoke push-notification or location permissions from your device's OS settings.

8. Security

• All traffic to our servers uses HTTPS (TLS 1.2+) with managed certificates.
• Passwords are hashed with bcrypt (work factor 11).
• Secrets are stored in Azure Key Vault with RBAC access.
• The backend API enforces rate limits per-IP via a Redis-backed sliding window and uses per-request idempotency keys on mutating endpoints.
• Peer-to-peer media (chat, photos, calls) is DTLS-SRTP encrypted end-to-end.

No system is perfectly secure. If you discover a vulnerability, please email us so we can address it before wider disclosure.

9. Children's privacy

Just Check is not intended for children under 13. We do not knowingly collect data from children. If you believe a child has created an account, please email us and we will delete it.

10. International transfers

The service runs in Central India. If you use it from outside India, your data is transferred to India to be processed.

11. Changes to this policy

We may update this policy as the product evolves. Material changes (e.g. adding a new third-party processor, changing retention) will be announced inside the app or by email before they take effect. The "Last updated" date at the top of this page always reflects the most recent change.

12. Contact

Questions about this policy or your data? Email naval2sml@gmail.com.