CoShot — operated by Axero Private Limited
Effective Date: 20 May 2026
About this Policy
This Privacy Policy (“Policy“) explains how Axero Private Limited (“Axero“, “Company“, “we“, “us“, or “our“), a private limited company incorporated under the Companies Act, 2013 (CIN: U59201RJ2025PTC109427), having its registered office at Plot No. 46, Parihar Nagar, Bhadasiya, Jodhpur Mahamandir, Jodhpur — 342006, Rajasthan, India, collects, uses, discloses, retains, transfers, and protects personal data when you access or use the CoShot website at https://www.coshot.in, the CoShot mobile applications for iOS and Android, our application programming interfaces (APIs), and any related services (collectively, the “Platform” or “CoShot“).
This Policy is published in compliance with:
- The Digital Personal Data Protection Act, 2023 (“DPDP Act“) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules“);
- Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“), to the extent they continue to apply during the DPDP transition;
- Rule 3(1)(b) and Rule 3(1)(f) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as amended (“Intermediary Rules“);
- The Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules“);
- The Reserve Bank of India Master Direction on Regulation of Payment Aggregators dated 15 September 2025 and the RBI Storage of Payment System Data Directive (2018), in respect of payment data flows;
- The Apple App Store Review Guidelines (including §5.1.1 and §5.1.2) and the Google Play Developer Program Policies (including the User Data policy and the Permissions and APIs that Access Sensitive Information policy), in respect of mobile-application disclosures; and
- To the extent applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) and the California Consumer Privacy Act, 2018 as amended by the California Privacy Rights Act, 2020 (“CCPA/CPRA“).
By creating an account, accessing, or using CoShot, you confirm that you have read, understood, and agree to this Policy. If you do not agree, do not use the Platform.
§ 1. Overview of the Application
CoShot is a multi-sided online marketplace that combines two integrated business lines:
(a) a studio booking marketplace (“Airbnb-for-studios”) where Studio Owners list photography and videography studios, sets, and creative spaces for time-based bookings, and Users — including Brands and Influencers — discover, book, and pay for them through the Platform; and
(b) an influencer-marketing managed marketplace where, in this version of the Platform: registered Brands create campaign briefs that go live only after CoShot’s pre-publish verification; campaigns are surfaced to Influencers including through Instagram-based Discovery (using only public Instagram profile information and Influencer-connected analytics where the Influencer has authorised the connection); CoShot — as the Brand’s authorised representative — communicates with prospective Influencers through CoShot’s internal panel within the parameters of the verified brief; and CoShot acts as the Brand’s payment-collection and settlement agent, holding pre-paid funds in trust and releasing them to Influencers on approved delivery.
Roles available on the Platform are: User, Studio Owner, Brand, Influencer, and Admin. A single account may concurrently hold multiple Roles, and this Policy applies to all such Roles. CoShot is an “intermediary” under Section 2(1)(w) of the Information Technology Act, 2000, and a “marketplace e-commerce entity” under Rule 3(g) of the E-Commerce Rules, 2020.
CoShot does not sell personal data, does not share personal data for cross-context behavioural advertising, and does not rent personal data to data brokers, advertisers, or marketing networks.
§ 2. Definitions
“Data Principal” means the natural person to whom personal data relates (called “data subject” under the GDPR and “consumer” under the CCPA/CPRA).
“Data Fiduciary” means Axero, which determines the purpose and means of processing your personal data (called “controller” under the GDPR and “business” under the CCPA/CPRA).
“Personal Data” means any data about an identified or identifiable natural person.
“Child” means a person under the age of 18 years, as defined by Section 2(f) of the DPDP Act.
“Processor” means a third party that processes personal data on our documented instructions.
“User Content” means any text, image, review, comment, listing, deliverable, message, or other material that you upload, post, transmit, or otherwise make available on or through the Platform.
“Uploaded Photograph” means any still image that you (i) capture using the in-app camera function of the CoShot mobile applications, or (ii) select from your device photo library through the in-app picker, and submit to the Platform.
“Live Communication Media” means real-time audio and video streams transmitted between users through the in-app chat, voice-call, and video-call features powered by the Zego Cloud Instant Messaging Kit, which are relayed in real time and are not recorded, stored, transcribed, or persisted by CoShot.
“Voice Message” means a discrete audio recording that you create using the in-app voice-message function and send through the in-app chat, which is stored as a media object for the duration set out in § 13.
“Location Data” means data describing the geographic position of your device, including precise location (latitude and longitude with accuracy typically within ~10 metres) and approximate location (accuracy typically within ~3 kilometres or city / area level).
§ 3. Categories of Personal Data We Collect
We practise data minimisation as a matter of policy and collect only what is necessary to operate the Platform and meet legal obligations.
§ 3.1 Identity and Contact Data
Name, email address, mobile number (verified via OTP), date of birth (where required to verify age ≥ 18), profile photograph, gender (optional), preferred language, and account credentials (passwords stored as bcrypt hashes; never in plain text).
§ 3.2 KYC and Verification Data
Collected only from Studio Owners, Influencers, and Brands receiving payouts: PAN, GSTIN (where applicable), masked Aadhaar (we do not store full Aadhaar numbers), bank account number and IFSC, cancelled cheque image, business registration documents, address proof, and selfie/liveness check where applicable. KYC documents are stored encrypted in AWS S3 (Mumbai region — ap-south-1) and accessed only via short-lived, IP-restricted presigned URLs.
§ 3.3 Listing and Profile Data
For Studio Owners — studio name, address, photographs of the studio, equipment list, hourly pricing, availability calendar, cancellation policy. For Influencers — portfolio links, niches, languages, prior campaign performance, rate cards, portfolio photographs. For Brands — brand name, GSTIN, campaign briefs, deliverable expectations, brand and campaign reference photographs.
§ 3.4 Transaction and Payment Data
Booking and campaign IDs, amounts, taxes, invoices, payout details, refund history. Card numbers, CVV, UPI PINs, and net-banking credentials are never collected, stored, or processed by CoShot. Payments are processed by Razorpay (an RBI-licensed Payment Aggregator), and we receive only tokenised references and a verification signature (HMAC-SHA256). All payment system data is stored within India in compliance with the RBI Directive on Storage of Payment System Data (April 2018) and the RBI Master Direction on Regulation of Payment Aggregators (15 September 2025).
§ 3.5 Communication and User-Generated Content Data
In-app chat messages routed via Zego Cloud, call metadata, support tickets, OTPs and notifications delivered via Setu (WhatsApp Business API) and ZeptoMail (Zoho) for transactional email, dispute records, reviews, ratings, photographs attached to any of the foregoing, and User Content as defined in § 2.
§ 3.6 Instagram Integration Data
Where you connect your Instagram Business or Creator account, we receive the data described in detail in § 9 of this Policy.
§ 3.7 Device and Technical Data
IP address, device model, OS version, browser type, app version, crash logs, language settings, time-zone, approximate location derived from IP (as a coarse fallback, separate from the Location Data described in § 3.12), push-notification tokens (APNs / FCM), and standard log data. Camera, microphone, photo gallery, and device-location access are addressed separately in §§ 3.10, 3.11, and 3.12 respectively. EXIF and similar metadata containing location, device serial numbers, or other identifying information are stripped from Uploaded Photographs at the point of upload before storage (see § 3.10.5).
§ 3.8 Cookies and Similar Technologies
Strictly necessary cookies (session, CSRF tokens) are always on. Analytics, performance, and preference cookies are off by default and load only after you grant consent through our cookie banner. See § 15.
§ 3.9 Data We Do Not Collect
We do not collect:
(a) Biometric data, save for: (i) the discrete KYC liveness check described in § 3.2, the biometric output of which is discarded immediately after match; and (ii) images of human faces incidentally present in Uploaded Photographs, which we store as ordinary image files and which we do not subject to facial recognition, biometric template extraction, face-print generation, face-clustering, biometric matching, or any other biometric processing;
(b) Genetic data, sexual-orientation data, religious or political opinions;
(c) Financial credentials (card numbers, CVV, UPI PINs, net-banking passwords);
(d) Video files captured from your device camera or selected from your device gallery. The CoShot mobile applications do not request, capture, upload, or store video files of any kind. The use of your camera for Live Communication Media during in-app video calls is a real-time relay only, and no video is recorded or persisted (see § 3.10.12 and § 3.11);
(e) Microphone audio outside of the specific in-app voice-message, voice-call, and video-call features described in § 3.11. The CoShot applications do not record, sample, or transmit audio at any other time, and do not engage in “always-on” listening, ambient audio analysis, or audio-based advertising profiling;
(f) Location Data outside of the specific features described in § 3.12. The CoShot applications do not collect device location at any other time, and do not engage in continuous background tracking outside the narrow geofencing function described in § 3.12.2; and
(g) Contacts, SMS, call logs, calendar, health data, or device identifiers beyond those listed in § 3.7, unless you specifically and consensually enable a feature that requires them.
§ 3.10 Camera and Photo Gallery Access (Photographs Only)
The CoShot mobile applications request access to your device camera and to your device photo gallery (also called “photo library”) only when you initiate an action that requires it, and only for the specific purposes set out below. Permission is requested at the point of use through the operating-system prompt, and can be revoked at any time through your device settings without affecting the rest of the Platform.
§ 3.10.1 Scope — Still Photographs Only. Both the camera function and the gallery picker within the CoShot mobile applications are restricted to still photographs (JPEG, PNG, HEIC, and equivalent formats). We do not capture, request, or accept video files of any kind. On Android, we request only the photo-image media permission (READ_MEDIA_IMAGES) and do not request READ_MEDIA_VIDEO. On iOS, although the operating system grants photo-library access to both photos and videos as a single permission, our in-app picker restricts the visible and selectable set to still photographs only, and we discard any non-image file that may be supplied at the system layer.
§ 3.10.2 Purposes for which we may access the camera. We may access your device camera, with your permission, only to allow you to capture a still photograph for one or more of the following purposes:
(a) capturing or updating your profile photograph; (b) capturing photographs of a studio, set, or creative space for a Studio Owner listing; (c) capturing photographs of campaign deliverables by an Influencer; (d) capturing photographs of brand reference material or campaign assets by a Brand; (e) capturing supporting photographs for a support ticket, review, rating, or dispute submission; (f) capturing the selfie / liveness frame used in the KYC process described in § 3.2; and (g) capturing a photograph to send within an in-app chat conversation described in § 3.5.
§ 3.10.3 Purposes for which we may access the photo gallery. We may access your device photo gallery, with your permission, only to allow you to select an existing still photograph for the same purposes listed in § 3.10.2. The gallery picker shows only photographs and does not permit selection of any other file type.
§ 3.10.4 What we receive when you capture or select a photograph. When you capture a photograph using the in-app camera, or select one from your gallery, we receive only the photograph file you have actively chosen, together with any metadata embedded in that file by your device (including, where present, EXIF tags such as capture timestamp, camera model, orientation, and GPS coordinates). We do not access, scan, or read any other photograph in your gallery, and we do not enumerate, index, or transmit your gallery contents.
§ 3.10.5 EXIF and location metadata stripping. EXIF location metadata (including GPS latitude, GPS longitude, GPS altitude, and any other location-identifying EXIF fields) is stripped from every Uploaded Photograph at the point of upload, before the file is written to persistent storage. The stripped metadata is not logged, retained, or transmitted to any third party. The only exception is where you have separately and expressly opted in to the studio-map geolocation feature for studio listings, and the photograph is a studio listing image for which precise location is necessary; in that case, the studio coordinates you confirm are stored separately and the photograph itself is still stripped of EXIF location data.
§ 3.10.6 No biometric processing of faces in photographs. Uploaded Photographs may contain images of human faces, including your own. We do not run facial recognition, facial detection for identification purposes, biometric template extraction, face-print generation, face-clustering, biometric matching, age estimation, emotion analysis, or any other biometric processing on Uploaded Photographs. The discrete KYC liveness check described in § 3.2 is the sole exception, and its biometric output is discarded immediately after match. We do not use Uploaded Photographs to train, fine-tune, or evaluate any artificial-intelligence or machine-learning model, whether our own or any third party’s.
§ 3.10.7 No advertising, profiling, or cross-context use. We do not use Uploaded Photographs, or any metadata derived from them, for advertising, ad measurement, audience-building, cross-context behavioural advertising, data brokerage, or any commercial purpose outside the Platform functionality described in this Policy.
§ 3.10.8 Photographs of third parties; your representations. By uploading any photograph, you represent and warrant that:
(a) the photograph either depicts only you, or has been captured and is being uploaded with the informed consent of every identifiable person appearing in it; (b) you hold all intellectual-property and personality rights necessary to upload, store, and display the photograph on the Platform for the purposes set out in § 3.10.2 and § 3.10.3; (c) the photograph does not infringe any third-party right and does not contain unlawful, defamatory, obscene, or otherwise prohibited content as described in the CoShot Terms of Use; and (d) the photograph does not depict any Child, except a photograph of your own Child uploaded by you in your capacity as a verified parent or lawful guardian, and only for a purpose lawful under the DPDP Act, the Protection of Children from Sexual Offences Act, 2012, and the Intermediary Rules. We reserve the right, in line with our § 8 obligations, to refuse, remove, or report any photograph that we reasonably believe depicts a Child in violation of this paragraph.
§ 3.10.9 Operating-system permission scopes and rationale strings. We request the minimum operating-system permissions necessary for the functionality above:
(a) iOS. We request NSCameraUsageDescription (camera) and NSPhotoLibraryUsageDescription (gallery — read access). Where the iOS version supports limited-library selection, we honour the user’s choice of “Selected Photos” without degrading functionality, and we do not request “All Photos” access where “Selected Photos” is sufficient. We do not request NSPhotoLibraryAddUsageDescription (write access), NSMicrophoneUsageDescription, or any other media permission for the camera-and-gallery feature.
(b) Android. On Android 13 (API 33) and above, we request READ_MEDIA_IMAGES only, and we prefer the system Photo Picker (which requires no runtime permission) where the use case permits. On Android 14 (API 34) and above, where the user grants partial-access (“Selected Photos”) to media, we honour that selection and do not request the full-access alternative. On Android 12 (API 32) and below, we use scoped storage and do not request READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE for this feature. We request CAMERA only at the point of camera use.
(c) Permission rationale. Each operating-system prompt is preceded by an in-app explanation screen identifying the specific purpose (for example: “To take or upload your profile photo”, “To take or upload photos of your studio listing”, “To take or upload your campaign deliverable photo”). We do not request these permissions at app launch or in advance of need.
§ 3.10.10 Consent, withdrawal, and effect of revocation. Your grant of camera or gallery permission constitutes free, specific, informed, and unambiguous consent under Section 6 of the DPDP Act, Article 6(1)(a) of the GDPR, and equivalent provisions of the CCPA/CPRA, for the limited purposes set out in this § 3.10. You may withdraw that consent at any time by:
(a) revoking the permission in your device settings (iOS: Settings → CoShot → Photos/Camera; Android: Settings → Apps → CoShot → Permissions); or (b) writing to contact@coshot.in with the subject line “Withdraw Camera/Gallery Consent — CoShot”.
Withdrawal of permission disables the camera and gallery functions prospectively but does not automatically delete photographs already uploaded. To delete photographs already uploaded, use the in-app deletion controls (Profile → My Content → Delete, or the equivalent control within the relevant listing, campaign, chat, or review screen) or write to contact@coshot.in. Deletion of uploaded photographs follows the timelines set out in § 13.
§ 3.10.11 Storage location and security of Uploaded Photographs. All Uploaded Photographs are stored in AWS S3 in the Mumbai region (ap-south-1), encrypted at rest using AES-256 server-side encryption with KMS-managed keys, and accessed only via short-lived, IP-restricted presigned URLs. Photographs are transmitted from your device to our servers over TLS 1.2 or higher.
§ 3.10.12 Camera use during live video calls. Separately from the photograph-capture functionality described in §§ 3.10.1 to 3.10.11, your device camera may also be activated, with your separate prior permission, during in-app video calls described in § 3.11. Camera use during a live video call is a real-time relay only: the video stream is transmitted to the other party through the Zego Cloud infrastructure and is not recorded, stored, transcribed, screen-captured, or persisted by CoShot. The camera is released as soon as the call ends or you mute the camera. The “no video files” commitment in § 3.9(d) refers to video as stored content; live video calls are not stored video.
§ 3.11 Microphone Access
The CoShot mobile applications request access to your device microphone only when you initiate one of the in-app communication features below, and only for the duration necessary for that feature. The in-app chat, voice-message, voice-call, and video-call functionality is powered by the Zego Cloud Instant Messaging Kit (Zego Cloud, identified as a Processor in § 6).
§ 3.11.1 Purposes for which we may access the microphone. We may access your device microphone, with your permission, only for one or more of the following purposes:
(a) recording a Voice Message that you choose to send within an in-app chat; (b) transmitting your live audio during a voice call between you and another Platform user; and (c) transmitting your live audio during a video call between you and another Platform user (Live Communication Media, as defined in § 2).
§ 3.11.2 What we collect and what we do not collect.
(a) Voice Messages are recorded only when you press and hold (or otherwise affirmatively activate) the voice-message control in the chat interface. The resulting audio file is transmitted via Zego Cloud to the recipient and is stored as a chat-attachment object on our infrastructure for the period set out in § 13.
(b) Live audio in voice and video calls is relayed in real time between you and the other party through Zego Cloud’s WebRTC infrastructure. CoShot does not record, store, transcribe, screen-capture, or persist the audio content of any voice or video call. Only call metadata (participant identifiers, start time, end time, duration, call quality indicators) is logged for billing, support, and abuse-investigation purposes.
(c) We do not activate the microphone outside the specific events in (a) and (b). We do not engage in always-on listening, ambient audio capture, audio fingerprinting, voice-print biometric extraction, speech-to-text profiling for advertising, emotion analysis, or audio-based behavioural advertising.
§ 3.11.3 No biometric voice processing and no AI training. We do not extract voice biometric templates from Voice Messages or Live Communication Media. We do not use Voice Messages or call audio to train, fine-tune, or evaluate any artificial-intelligence or machine-learning model, whether our own or any third party’s.
§ 3.11.4 Operating-system permission scopes and rationale strings.
(a) iOS. We request NSMicrophoneUsageDescription only at the point of first use of a voice-message, voice-call, or video-call function. The rationale string identifies the specific purpose (for example: “CoShot needs microphone access to record a voice message or take part in a voice or video call when you initiate one.”).
(b) Android. We request RECORD_AUDIO only at the point of first use of a voice-message, voice-call, or video-call function. We do not request CAPTURE_AUDIO_OUTPUT, CAPTURE_MEDIA_OUTPUT, or any background-audio permission. On Android 14 (API 34) and above, a foreground service of type microphone is used only for the duration of an active call and a persistent notification is displayed.
(c) In-app pre-prompt. Each operating-system prompt is preceded by an in-app explanation screen identifying the specific feature requiring the microphone. We do not request microphone permission at app launch or in advance of need.
§ 3.11.5 Consent, withdrawal, and effect of revocation. Your grant of microphone permission constitutes free, specific, informed, and unambiguous consent under Section 6 of the DPDP Act, Article 6(1)(a) of the GDPR, and equivalent provisions of the CCPA/CPRA, for the limited purposes set out in this § 3.11. You may withdraw that consent at any time by:
(a) revoking the permission in your device settings (iOS: Settings → CoShot → Microphone; Android: Settings → Apps → CoShot → Permissions → Microphone); or (b) writing to contact@coshot.in with the subject line “Withdraw Microphone Consent — CoShot”.
Withdrawal disables the voice-message, voice-call, and video-call functions prospectively but does not automatically delete Voice Messages already sent. To delete a Voice Message already sent, delete the relevant chat message (Profile → Chat → Long-press message → Delete) or write to contact@coshot.in. Deletion follows the timelines in § 13.
§ 3.11.6 Storage location and security of Voice Messages. Voice Messages are transmitted via Zego Cloud (see § 6) and the persistent audio object is stored in AWS S3 (Mumbai region ap-south-1), encrypted at rest using AES-256 server-side encryption with KMS-managed keys, and transmitted over TLS 1.2 or higher.
§ 3.12 Location Access
The CoShot mobile applications request access to your device location for the limited purposes set out below. Location Data is one of the most sensitive categories of personal data we collect, and we apply heightened consent, minimisation, and retention controls to it.
§ 3.12.1 Foreground location use cases. With your permission (“When in Use” / “While using the app”), we may collect Location Data while the CoShot app is open and in active use, for the following purposes:
(a) showing studios near your current location on the studio-discovery map; (b) sorting studio search results by proximity to your current location; (c) auto-suggesting your service-area when you complete a Studio Owner listing; (d) providing turn-by-turn directions to a booked studio on the day of your booking (where you initiate this); and (e) verifying check-in at a booked studio (where you initiate this), for the limited purpose of dispute resolution and fraud prevention.
§ 3.12.2 Background location use case. With your separate and additional permission (“Always” / “Allow all the time”), we may collect Location Data while the CoShot app is in the background or closed, for a single defined purpose: to deliver a geofenced push notification when your device is within a defined radius of a studio you have an active confirmed booking for, so that you can be reminded of your booking and receive check-in instructions at the right time and place. We do not use background Location Data for any other purpose, and we do not collect background Location Data when you do not have an active confirmed booking.
§ 3.12.3 Precision and user choice.
(a) Precise Location (latitude / longitude with accuracy typically within ~10 metres). Used where the feature requires precision — for example, geofenced check-in at a studio, or precise distance-sorting in studio search. Precise Location is treated as Sensitive Personal Information under the CCPA/CPRA and you have the right to limit its use as described in § 14.
(b) Approximate Location (city / area level, with accuracy typically within ~3 kilometres). Used where coarser precision is sufficient — for example, “studios in your city” or surfacing locale-appropriate content.
(c) Your choice. On iOS 14 and above, and on Android 12 and above, the operating system gives you the choice to grant only approximate location even where the app requests precise. We honour that choice and degrade functionality gracefully (e.g., distance estimates become “city” rather than “metres”) rather than refusing service. We also expose an in-app toggle (Profile → Privacy → Location Precision) so you can downgrade from Precise to Approximate at any time without re-installing.
§ 3.12.4 Prominent Disclosure for Background Location (Google Play). In compliance with the Google Play “Location Permissions” policy and “User Data” policy, before we request the ACCESS_BACKGROUND_LOCATION permission on Android we present a separate, in-app Prominent Disclosure screen which states, in plain language: “CoShot collects location data to send you a reminder and check-in instructions when you are near a studio you have booked, even when the app is closed or not in use. This data is not used for advertising, is not shared with third parties for advertising, and is automatically deleted within 7 days. You can decline background location and continue using all other features of the app.” No background location is collected until you affirmatively accept this disclosure and then grant the operating-system “Allow all the time” permission.
§ 3.12.5 Operating-system permission scopes and rationale strings.
(a) iOS. We request NSLocationWhenInUseUsageDescription for foreground location (rationale: “CoShot uses your location to show studios near you and to help you check in at a booked studio.”). We request NSLocationAlwaysAndWhenInUseUsageDescription only where you have indicated interest in geofenced booking reminders (rationale: “CoShot uses your location in the background only to remind you about a studio booking when you are nearby. You can turn this off at any time.”). We honour iOS “Precise Location” toggle and “Reduced Accuracy” mode.
(b) Android. We request ACCESS_COARSE_LOCATION (approximate) by default. We request ACCESS_FINE_LOCATION (precise) only where a feature requires precision and only at the point of use. We request ACCESS_BACKGROUND_LOCATION only after the Prominent Disclosure in § 3.12.4 and only if the user has actively opted in to geofenced booking reminders. On Android 14 (API 34) and above, a foreground service of type location is used only for the minimum duration necessary for the active feature.
(c) In-app pre-prompt. Each operating-system prompt is preceded by an in-app explanation screen identifying the specific feature requiring location access.
§ 3.12.6 What we do not do with Location Data. We do not: (i) sell or share Location Data with any third party for advertising, ad measurement, audience-building, or cross-context behavioural advertising; (ii) supply Location Data to data brokers, location aggregators, hedge funds, or location-intelligence firms; (iii) build behavioural profiles of you from your historical Location Data; (iv) infer sensitive attributes (religion, health condition, political affiliation, sexual orientation) from your visit patterns; or (v) use Location Data to train, fine-tune, or evaluate any artificial-intelligence or machine-learning model.
§ 3.12.7 Consent, withdrawal, and effect of revocation. Your grant of location permission constitutes free, specific, informed, and unambiguous consent under Section 6 of the DPDP Act, Article 6(1)(a) of the GDPR, and equivalent provisions of the CCPA/CPRA. Because precise location is treated as Sensitive Personal Information under the CCPA/CPRA, you have an additional Right to Limit Use of Sensitive Personal Information as described in § 14.
You may withdraw consent for Location Data at any time by:
(a) downgrading precision in-app (Profile → Privacy → Location Precision); (b) revoking the permission in your device settings (iOS: Settings → CoShot → Location; Android: Settings → Apps → CoShot → Permissions → Location); or (c) writing to contact@coshot.in with the subject line “Withdraw Location Consent — CoShot”.
Withdrawal disables location-dependent features prospectively. To delete historical Location Data already collected, use Profile → Privacy → Delete My Location Data or write to contact@coshot.in. Deletion follows the timelines in § 13.
§ 3.12.8 Storage location and security. Location Data is stored in AWS RDS (Mumbai region ap-south-1), encrypted at rest, and transmitted over TLS 1.2 or higher. Precise Location Data is retained only for the period necessary for the active feature and is then either deleted or downgraded to approximate (city-level) for retained records, as set out in § 13.
§ 4. Sources of Personal Data
We collect personal data: (a) directly from you when you sign up, list, book, apply to a campaign, message a counterparty, post User Content, capture or upload a photograph, record or send a Voice Message, place or join an in-app voice or video call, use a location-dependent feature, or contact support; (b) automatically through your use of the Platform (logs, cookies, device data); (c) from authorised third parties when you elect to connect them (Meta / Instagram, Razorpay KYC, and, if and when enabled in future, Google or Apple sign-in); and (d) from public records (such as the GSTIN registry and the MCA portal) for verification purposes.
§ 5. Purposes and Legal Bases for Processing
We map each processing activity to a lawful basis under the DPDP Act (consent under Section 6 or a “certain legitimate use” under Section 7), to an Article 6 GDPR basis, and to a CCPA/CPRA business purpose with no “sale” and no “sharing for cross-context behavioural advertising”.
| # | Processing Activity | DPDP Basis | GDPR Basis | CCPA Purpose |
|---|---|---|---|---|
| 1 | Account creation and authentication | Consent (s. 6) + performance of contract (s. 7(a)) | Art. 6(1)(b) Contract | Providing the service |
| 2 | KYC of Studio Owners, Influencers, payee Brands | Compliance with law (s. 7(b)) — PMLA, RBI PA Master Direction | Art. 6(1)(c) Legal obligation | Legal compliance / fraud prevention |
| 3 | Listing publication, search, and ranking | Performance of contract (s. 7(a)) | Art. 6(1)(b) | Providing the service |
| 4 | Booking, campaign matchmaking, escrow settlement, and (for Campaigns) acting as the Brand’s authorised representative for outreach, brief-bounded negotiation, and payment-agency | Performance of contract (s. 7(a)); Brand authorisation under the Terms of Use (EULA) | Art. 6(1)(b) | Providing the service |
| 4A | Pre-publish verification of Brand-listed Campaigns | Compliance with Rule 3(1)(b) Intermediary Rules due diligence + performance of contract | Art. 6(1)(b)/(c) | Providing the service / Legal compliance |
| 5 | Payment processing and refund | Performance of contract + legal obligation | Art. 6(1)(b)/(c) | Processing payments |
| 6 | Tax invoicing and GST compliance | Compliance with law (s. 7(b)) | Art. 6(1)(c) | Legal compliance |
| 7 | Customer support and grievance redress | Performance of contract + legal obligation | Art. 6(1)(b)/(c) | Customer service |
| 8 | Trust, safety, fraud detection, anti-abuse | Legal obligation + legitimate use | Art. 6(1)(c)/(f) | Security and fraud prevention |
| 9 | Instagram analytics for Influencer vetting and Discovery (Influencer-connected analytics with the Influencer’s express consent; public Instagram profile data used consistent with Meta Platform Terms) | Consent (s. 6) for connected accounts; legitimate use for public-data Discovery | Art. 6(1)(a) / Art. 6(1)(f) | Providing the service |
| 10 | Marketing emails, promotional WhatsApp messages | Consent (s. 6) — opt-in, freely revocable | Art. 6(1)(a) Consent | Marketing (with opt-out) |
| 11 | Product analytics, service improvement | Consent (s. 6) for non-essential analytics | Art. 6(1)(f) Legitimate interest | Service improvement |
| 12 | Breach notification and regulatory reporting | Compliance with law (s. 7(b)) | Art. 6(1)(c) | Legal compliance |
| 13 | Defending or asserting legal claims | Legitimate use (s. 7(g)) | Art. 6(1)(f) | Legal claims |
| 14 | Capture, upload, storage, and display of still photographs from camera and gallery for profiles, listings, deliverables, campaigns, support, reviews, and chat, as set out in § 3.10 | Consent (s. 6) at the operating-system permission prompt + performance of contract (s. 7(a)) | Art. 6(1)(a) Consent + Art. 6(1)(b) Contract | Providing the service |
| 15 | Camera relay for live in-app video calls, with no recording or storage, as set out in § 3.10.12 | Consent (s. 6) at the operating-system permission prompt + performance of contract (s. 7(a)) | Art. 6(1)(a) Consent + Art. 6(1)(b) Contract | Providing the service |
| 16 | Microphone access for Voice Messages, voice calls, and video calls through the Zego Cloud Instant Messaging Kit, as set out in § 3.11 | Consent (s. 6) at the operating-system permission prompt + performance of contract (s. 7(a)) | Art. 6(1)(a) Consent + Art. 6(1)(b) Contract | Providing the service |
| 17 | Foreground Location Data collection for studio discovery, map, proximity-sorted search, directions, and check-in, as set out in § 3.12.1 | Consent (s. 6) at the operating-system permission prompt + performance of contract (s. 7(a)) | Art. 6(1)(a) Consent + Art. 6(1)(b) Contract | Providing the service |
| 18 | Background Location Data collection limited to geofenced booking-reminder notifications for active confirmed bookings, as set out in § 3.12.2, with prior Prominent Disclosure under Google Play policy | Consent (s. 6) — separate, additional, freely revocable, with no service degradation outside the geofencing feature | Art. 6(1)(a) Consent | Providing the service (booking reminder) |
You may withdraw consent for any consent-based processing at any time without affecting the lawfulness of processing prior to withdrawal. Withdrawal is as easy as giving consent, in compliance with Section 6(4) of the DPDP Act. Use the in-app toggle, the device-level permission revocation described in § 3.10.10, or write to contact@coshot.in.
§ 6. How We Share Personal Data
We share personal data only in the limited and specific circumstances below.
(a) With other users of the Platform, by design. A Studio Owner sees the booking User’s name and contact only after booking confirmation, to enable check-in and coordination. A Brand sees an Influencer’s profile and public Instagram handle, and — only with the Influencer’s specific consent — connected Instagram analytics. A User booking a studio sees the Studio Owner’s listing, business name, broad area, and listing photographs for service-delivery coordination. Where a photograph is uploaded as part of a public listing, public profile, review, or campaign deliverable, that photograph is visible to other Platform users in line with the function for which it was uploaded.
(b) Managed-marketplace data flow for Campaigns (this version). Communications between Brands and Influencers for verified Campaigns flow through CoShot’s internal panel. The Brand authorises CoShot to communicate with prospective Influencers on the Brand’s behalf within the parameters of the verified brief; the Brand’s identity is disclosed to the Influencer in every such communication. Where CoShot uses public Instagram profile information for Discovery, no private Instagram data is accessed without the Influencer’s express OAuth consent. Once a Deal is confirmed, the parties continue to communicate through the panel, with CoShot retaining visibility for dispute resolution, fraud prevention, and audit purposes. The legal framework for this managed-marketplace model is set out in Section 8 of the CoShot Terms of Use (EULA).
(c) With Data Processors who act only on our written instructions under data-processing agreements requiring equivalent security and confidentiality:
| Processor | Role | Data | Location |
|---|---|---|---|
Amazon Web Services (AWS) — ap-south-1 Mumbai | Cloud hosting, S3 storage (including Uploaded Photographs and Voice Messages), RDS (including Location Data), KMS | All operational data, KYC documents, Uploaded Photographs, Voice Messages, Location Data | India |
| Razorpay Software Pvt. Ltd. | RBI-licensed Payment Aggregator | Payment instrument data (we do not see card / UPI credentials) | India |
| Setu (WhatsApp Business API) | OTP and transactional WhatsApp | Mobile number, OTP / notification text | India |
| ZeptoMail (Zoho Corporation Pvt. Ltd.) | Transactional email | Email address and email body | India (Zoho India DC) |
| Zego Cloud | Real-time chat, Voice Message relay, voice-call and video-call infrastructure via the Zego Cloud Instant Messaging Kit | Chat content, Voice Message audio, live voice-call audio (not recorded by CoShot), live video-call audio and video (not recorded by CoShot), call metadata | Routed via in-region nodes; see § 12 |
| Meta Platforms, Inc. (Instagram Graph API) | Source of influencer analytics, on Influencer’s authorisation | OAuth tokens, public IG profile, Insights | Meta global infrastructure |
| Apple Inc. / Google LLC (push notifications) | APNs / FCM delivery | Device push token + notification payload | Global |
We do not share Uploaded Photographs, Voice Messages, the audio or video content of live calls, or Location Data with any image-processing, voice-processing, location-aggregation, image-recognition, voice-recognition, machine-learning, advertising, or analytics third party. If we ever propose to introduce such a third party, we will update this Policy in advance, refresh affirmative consent under § 21, and not begin sharing until the new disclosure is in force.
(d) With banks and escrow trustees for the operation of the trust account holding settlement funds.
(e) With professional advisors (auditors, lawyers, accountants) under duties of confidentiality, where required.
(f) With law enforcement, regulators, courts, and the Data Protection Board of India where compelled by valid legal process. We assess every request for legal validity and minimisation and, where lawful, notify the affected Data Principal.
(g) On a corporate transaction (merger, acquisition, restructuring, sale of assets), to the acquirer subject to confidentiality, with notice to you in advance where practicable.
We do not appoint vague “partners” who can monetise your data. Every recipient is identified, contracted, and audited.
§ 7. Automated Decision-Making and Profiling
The Platform uses limited algorithmic processes for: (i) ranking studios and influencer-campaign matches; (ii) detecting suspicious payments and fake reviews; and (iii) recommending content. None of these produces legal or similarly significant effects within the meaning of Article 22 GDPR. Final decisions on KYC rejection, account suspension, or payout holds are made with human review.
We do not apply automated facial recognition, biometric matching, voice-print extraction, speech-to-text profiling, location-based behavioural profiling, or machine-learning content analysis to Uploaded Photographs, Voice Messages, the audio or video content of live calls, or Location Data, except for the discrete KYC liveness match described in § 3.2 and basic, non-biometric content-safety checks (such as automated detection of patently unlawful imagery prior to publication) which are subject to human review before any account-level consequence.
Where you believe an automated outcome (for example, a fraud-flagged transaction or a removed photograph) is incorrect, you may request human review by writing to contact@coshot.in; we will respond within 7 business days.
§ 8. Children’s Data
The Platform is intended for persons aged 18 years or older. We do not knowingly collect personal data from Children. Consistent with Section 9 of the DPDP Act and Rule 10 of the DPDP Rules, where we become aware that a Child has registered or that any photograph uploaded depicts a Child contrary to § 3.10.8(d): (a) we will suspend the account; (b) we will not undertake tracking, behavioural monitoring, or targeted advertising of the Child; (c) we will erase the Child’s personal data, including any photographs of the Child, unless retention is required by law; (d) we will not process the Child’s personal data without verifiable parental consent obtained in the manner required by Rule 10 of the DPDP Rules; and (e) where the photograph indicates a possible offence under the Protection of Children from Sexual Offences Act, 2012, we will report the matter to the National Cyber Crime Reporting Portal and to the National Centre for Missing & Exploited Children (NCMEC) where applicable, and preserve the relevant records for the period required by law.
If you believe a Child has provided personal data to us, or that a photograph on the Platform depicts a Child in violation of this Policy, please write to contact@coshot.in so we may act expeditiously.
§ 9. Instagram Graph API Integration
CoShot integrates with Meta’s Instagram Graph API to enable Influencers to demonstrate authentic audience metrics to Brands and to enable Brands to make informed campaign decisions. This Section is published to satisfy Meta Platform Terms and Meta App Review requirements.
§ 9.1 Permissions Requested
We request only two Instagram Graph API permissions, and only from Influencers who have a Business or Creator account and choose to connect it:
instagram_basic— to read the Influencer’s username, Instagram account ID, profile picture, account type (Business / Creator), media count, and a list of published media (image, video, reel, carousel) including caption, media URL, permalink, timestamp, and aggregate like / comment counts.instagram_manage_insights— to read account-level and media-level insights (reach, impressions, profile views, engagement, saves, audience age / gender / location aggregates) for the Influencer’s own Business or Creator account.
We do not request instagram_content_publish, instagram_manage_messages, instagram_manage_comments, messaging / DM permissions, or any permission beyond what is technically necessary to identify the linked Instagram account.
§ 9.2 Why Each Permission Is Necessary
instagram_basic is necessary so Brands can verify that the Influencer applying to a campaign actually controls the handle they claim, see the Influencer’s content style, and confirm media count. Without this permission, Brands would have to rely on screenshots, which are easy to fabricate; this would destroy the trust foundation of an influencer marketplace.
instagram_manage_insights is necessary because the core value proposition of an influencer-marketing marketplace is verified, first-party audience data — reach, impressions, engagement rate, and audience demographics. Direct API access ensures that the data shown to Brands is the same data Meta itself displays to the Influencer in their professional dashboard, eliminating reliance on forgeable screenshots and combating follower-count fraud.
§ 9.3 Exactly What Data We Fetch and Store
For each connected Instagram Business / Creator account, we fetch and cache: username, IG account ID, profile picture URL, account type, media count; up to the most recent 50 media items (id, caption, media_type, media_url, permalink, thumbnail_url, timestamp, like_count, comments_count); account-level insights for rolling 30-day windows; and media-level insights for the cached media. We refresh insights on demand or on a schedule of no more than once per 24 hours per connected account, in line with Meta’s rate limits and the principle of data minimisation.
§ 9.4 OAuth Tokens — Storage and Security
Long-lived OAuth access tokens issued by Meta are encrypted at rest using AES-256-GCM with keys held in AWS KMS. Tokens are never logged, never sent to client devices in plaintext, and never shared with any third party.
§ 9.5 How an Influencer Can Disconnect and Trigger Deletion
You can revoke CoShot’s access at any time, in any of three ways:
- In CoShot: Profile → Connected Accounts → Instagram → “Disconnect”. This calls the Meta API to revoke our token and immediately deletes (a) the OAuth token, (b) the cached profile and media, and (c) all cached insights linked to your account from our production database. Backups roll off within 35 days.
- In Instagram itself: Settings → Apps and Websites → Active → CoShot → Remove. Meta will issue a deauthorization callback to our endpoint, which triggers the same deletion flow.
- By email: write to contact@coshot.in with the subject “Instagram Data Deletion — CoShot” and we will action it within 7 days.
§ 9.6 Meta Data Deletion Endpoints
For the purposes of Meta Platform Terms requirements on User Data Deletion:
- Deauthorization Callback URL:
https://www.coshot.in/api/v1/meta/deauthorize - Data Deletion Request Callback URL:
https://www.coshot.in/api/v1/meta/data-deletion - User-Readable Data Deletion Instructions:
https://www.coshot.in/legal/data-deletion - Email fallback:
contact@coshot.in
When Meta issues a signed deletion request to our callback, we verify the signature, locate all records associated with the supplied app-scoped User ID, delete them within 30 days, and return the JSON confirmation URL and code as required by Meta.
§ 9.7 No Re-Use of Instagram Data
We use Instagram-derived data exclusively for the influencer-marketplace functionality described above. We do not sell, license, or share Instagram-derived data for advertising, machine-learning model training, audience-building products, data brokerage, or any purpose outside CoShot’s stated functionality.
§ 10. Apple App Tracking Transparency and App Privacy Disclosure
§ 10.1 No tracking. The iOS CoShot app does not engage in “tracking” as defined by Apple’s App Tracking Transparency framework. We do not link user or device data collected in our app with user or device data collected from other companies’ apps, websites, or offline properties for advertising or advertising-measurement purposes, and we do not share device data with data brokers. Consequently, the iOS app does not present the ATT prompt. If at any future point we introduce a feature that would constitute tracking under ATT, we will update this Policy, present the ATT prompt before any tracking begins, and honour your response.
§ 10.2 Camera and Photo Library on iOS. Camera and photo library access on iOS is requested only at the point of use, with purpose-specific rationale strings disclosed in the operating-system prompt, and is limited to still photographs as described in § 3.10, except for live-relay camera use during in-app video calls described in § 3.10.12 (which is not recorded or stored). Camera and photo library access does not constitute “tracking” under ATT because the resulting photographs are not linked with user or device data collected from other companies’ apps, websites, or offline properties for advertising or advertising-measurement purposes, and no Uploaded Photograph is shared with any data broker.
§ 10.3 Microphone on iOS. Microphone access on iOS is requested only at the point of first use of an in-app voice-message, voice-call, or video-call function (via the NSMicrophoneUsageDescription rationale string), is used only for the duration of that function, and is described in § 3.11. Microphone access does not constitute “tracking” under ATT because audio captured through the microphone is not linked with user or device data collected from other companies’ apps, websites, or offline properties for advertising or advertising-measurement purposes, and no Voice Message or call audio is shared with any data broker.
§ 10.4 Location on iOS. Location access on iOS is requested at the point of first use of a location-dependent feature (via the NSLocationWhenInUseUsageDescription rationale string for foreground use, and additionally via the NSLocationAlwaysAndWhenInUseUsageDescription rationale string for the opt-in geofenced booking-reminder feature only), and is described in § 3.12. We honour the iOS “Precise Location” toggle and “Reduced Accuracy” mode, and we do not refuse service or degrade non-location features if you grant only approximate location. Location access does not constitute “tracking” under ATT because Location Data is not linked with user or device data collected from other companies’ apps, websites, or offline properties for advertising or advertising-measurement purposes, and Location Data is not shared with any data broker.
§ 10.5 App Privacy Nutrition Label. Our App Store Connect App Privacy disclosure reflects the following data types as collected and linked to the user’s identity: contact info, identifiers, financial info (transaction history only, not credentials), user content (including photographs and Voice Messages), audio data (Voice Messages and live-call audio), location (precise and approximate, with precise location used only with explicit consent for specified features), usage data, and diagnostics. None of these data types is used for tracking. Our App Privacy disclosure is updated whenever this Policy is materially updated and in any event before the corresponding binary is submitted for review.
§ 11. Google Play Data Safety
The Android CoShot app’s data-handling practices are mirrored in the Google Play “Data Safety” section. The following disclosures are made on the Play Console and are aligned with this Policy:
(a) Photos and videos → Photos — collected (yes); shared with third parties (no, except as set out in § 6); processing is not ephemeral (Uploaded Photographs are stored as set out in § 13); collection is optional (the app is usable without granting camera or gallery permission, with features that depend on photographs disabled); purposes are limited to App functionality and Account management. The Android app collects only still photograph images and does not collect videos.
(b) Audio → Voice or sound recordings — collected (yes), in the form of Voice Messages within the in-app chat as described in § 3.11; shared with third parties (no, except with Zego Cloud as Processor under § 6); collection is optional; purposes are limited to App functionality (delivery of the recipient’s Voice Message) and Account management (chat history). Live voice-call and video-call audio is relayed through Zego Cloud in real time and not stored by CoShot, and is therefore disclosed under the “Data processed ephemerally” category. We do not collect any audio outside the user-initiated voice-message, voice-call, and video-call features.
(c) Location → Approximate location and Location → Precise location — collected (yes), as described in § 3.12; shared with third parties (no); collection is optional; purposes are limited to App functionality (studio discovery, map, proximity sorting, directions, check-in) and, for background precise location only with separate opt-in, App functionality (geofenced booking-reminder notification). Background location is collected only under the Prominent Disclosure described in § 3.12.4, only for users with an active confirmed booking, and is deleted within 7 days of the booking ending.
(d) Personal info, Financial info, Messages, App activity, App info and performance, Device or other IDs — collected as set out in §§ 3.1–3.8, in line with the corresponding Play Data Safety categories.
All personal data in transit is encrypted using TLS 1.2 or higher. Users can request data deletion via the in-app “Delete my account” button (Profile → Settings → Delete Account) or by writing to contact@coshot.in. We follow the Google Play User Data policy, the Permissions and APIs that Access Sensitive Information policy, the Location Permissions policy, and the Prominent Disclosure and Consent Requirements. We do not share data with third parties for advertising or advertising measurement, and we do not sell data.
§ 12. Cross-Border Transfers
CoShot is hosted in India (AWS Mumbai ap-south-1). Personal data, including Uploaded Photographs, Voice Messages, and Location Data, stays in India by default. Limited transfers occur where strictly necessary:
- Apple APNs / Google FCM for push notifications (delivery of notification payload only — Uploaded Photographs, Voice Messages, and Location Data are never transmitted in push payloads);
- Meta / Instagram Graph API when an Influencer initiates a connection;
- Zego Cloud real-time media — connections (including live voice-call and video-call audio and video, and Voice Message delivery) are routed via Zego’s nearest in-region node; signalling and metadata may transit international infrastructure.
Such transfers are made under: (i) Section 16 of the DPDP Act and Rule 15 of the DPDP Rules, which permit cross-border transfers except to jurisdictions notified by the Central Government as restricted (no such restrictions apply at the date of this Policy); (ii) where any EU/EEA personal data is involved, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and supplementary measures (encryption, pseudonymisation, contractual prohibitions on onward transfer); and (iii) the RBI Payment System Data Localisation Directive (April 2018) for all payment-system data.
§ 13. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, and in any event in accordance with statutory retention obligations.
| Data category | Retention | Statutory basis / reason |
|---|---|---|
| Account data (active account) | Until account deletion + 30 days operational tail | DPDP Rule 8 — purpose limitation |
| Account data after deletion request | Erased within 30 days (production); 35 days (backups) | DPDP s. 8(7); Rule 8 |
| Inactive accounts | 3 years from last interaction, with 48-hour pre-deletion notice | DPDP Rules — Third Schedule |
| KYC documents | 5 years from end of business relationship | PML (Maintenance of Records) Rules, 2005 |
| KYC selfie / liveness biometric template | Discarded within minutes of match; never retained | DPDP minimisation; SPDI Rule 5 |
| Transaction records, invoices | 8 financial years | CGST Act, 2017 and Income-tax Act, 1961 |
| Razorpay payment records | As required by RBI Master Direction on Payment Aggregators | RBI directive |
| Removed / blocked content (post-takedown) | 180 days minimum | Rule 3(1)(g), Intermediary Rules, 2021 |
| Grievance records | 3 years | Rule 3(2), Intermediary Rules |
| Logs, traffic data, audit trails | Minimum 1 year | DPDP Rule 6 |
| OAuth tokens (Instagram) | Until disconnect or 60 days inactivity, whichever is sooner | DPDP minimisation |
| Cached Instagram data | Refreshed on schedule; deleted on disconnect within 30 days | Meta Platform Terms |
| Uploaded Photographs — profile | Until you replace or delete the photograph, or until account deletion, then erased within 30 days (production) / 35 days (backups) | DPDP s. 8(7); Rule 8 |
| Uploaded Photographs — studio listing, influencer portfolio, brand campaign | Until you delete the listing, portfolio item, or campaign asset, or until account deletion, then erased within 30 days (production) / 35 days (backups), subject to the row immediately below | DPDP s. 8(7); Rule 8 |
| Uploaded Photographs forming part of a closed booking, completed campaign, support ticket, dispute, or review | Retained for the longer of (i) 8 financial years for transaction-record purposes, or (ii) the limitation period for any related dispute under the Limitation Act, 1963 | CGST Act, 2017; Income-tax Act, 1961; Limitation Act, 1963; Rule 3(1)(g), Intermediary Rules |
| Uploaded Photographs sent through in-app chat | Retained for the duration of the chat thread plus 90 days, or until you delete the message, whichever is sooner; thereafter erased within 30 days (production) / 35 days (backups) | DPDP minimisation; Rule 3(2), Intermediary Rules |
| Voice Messages sent through in-app chat | Retained for the duration of the chat thread plus 90 days, or until you delete the message, whichever is sooner; thereafter erased within 30 days (production) / 35 days (backups) | DPDP minimisation; Rule 3(2), Intermediary Rules |
| Live voice-call and video-call audio and video content | Not stored; relayed in real time through Zego Cloud only; no retention | DPDP minimisation; § 3.11.2(b) |
| Call metadata (participant IDs, start / end / duration, quality indicators) | 12 months from call end, for billing, support, and abuse-investigation purposes | DPDP minimisation; Rule 3(2), Intermediary Rules |
| Foreground Location Data — active session (studio search, map, directions) | Deleted from device cache within 24 hours; not retained on server beyond the duration of the active session, except where the user has saved a search or set a service-area, in which case the saved value (not the raw location stream) is retained until the user deletes it | DPDP minimisation |
| Foreground Location Data — check-in confirmation | Coordinates of the check-in event retained as part of the booking record for the longer of (i) 8 financial years for transaction-record purposes, or (ii) the limitation period for any related dispute under the Limitation Act, 1963 | CGST Act, 2017; Income-tax Act, 1961; Limitation Act, 1963 |
| Background Location Data (geofenced booking reminders only) | Retained only for the duration of the active confirmed booking + 7 days; thereafter erased within 30 days (production) / 35 days (backups). Never retained outside an active booking window | DPDP minimisation; Google Play Location Permissions policy |
| Precise Location Data after the active feature | Either deleted or downgraded to approximate (city-level) for any retained record where precise location is no longer necessary | DPDP minimisation; CCPA/CPRA right to limit |
| EXIF location metadata from Uploaded Photographs | Not retained (stripped at the point of upload before storage) | DPDP minimisation; § 3.7 and § 3.10.5 consistency |
| Marketing-consent-based data | Until consent withdrawn + 30 days | DPDP s. 6(4) |
| Cookies (non-essential) | Per consent settings; maximum 13 months | ePrivacy guidance |
After expiry, data is securely erased or anonymised such that re-identification is not reasonably possible.
§ 14. Your Rights
§ 14.1 Rights under the DPDP Act
You have the rights to: access and obtain a summary of personal data being processed (Section 11); seek correction, completion, updating, and erasure of personal data (Section 12); grievance redressal; nominate another individual to exercise your rights in the event of death or incapacity (Section 13); and withdraw consent at any time, with the same ease with which it was given (Section 6(4)).
§ 14.2 Additional Rights for EU/EEA / UK Data Subjects
Right to rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection (including to processing for direct marketing), and the right not to be subject to a solely automated decision with legal or similarly significant effects. You may also lodge a complaint with your national supervisory authority.
§ 14.3 Additional Rights for California Residents
Right to know, right to delete, right to correct, right to opt out of sale or sharing, right to limit use of sensitive personal information (including the right to direct CoShot to limit its use of your Precise Location to that necessary to perform the services reasonably expected by you), and right to non-discrimination for exercising rights.
§ 14.4 “Do Not Sell or Share” Statement
CoShot does not sell personal information and does not share personal information for cross-context behavioural advertising, as those terms are defined in Cal. Civ. Code § 1798.140. We have not sold or shared personal information of any consumer, including any minor, in the preceding 12 months.
§ 14.5 How to Exercise Rights
Submit a request to contact@coshot.in or via Profile → Privacy → My Data Requests in the app. We will verify your identity (typically by an OTP to your registered email or phone) and respond within 30 days, or within the statutory period if shorter. We will not retaliate against you for exercising any right.
§ 14.6 Specific Mechanisms for Camera, Photo, Microphone, and Location Data
In addition to the general rights above, in relation to camera, gallery, microphone, and location permissions and the data collected through them you may at any time:
(a) Camera, gallery, and Uploaded Photographs
(i) revoke camera or photo-library permission at the operating-system level as described in § 3.10.10; (ii) delete any individual Uploaded Photograph using the in-app deletion control on the relevant screen; (iii) request bulk deletion of all Uploaded Photographs associated with your account by writing to contact@coshot.in with the subject “Delete All Photos — CoShot”; and (iv) request an export of all Uploaded Photographs associated with your account in machine-readable form (data portability), to be provided within 30 days.
(b) Microphone, Voice Messages, and call audio
(i) revoke microphone permission at the operating-system level as described in § 3.11.5; (ii) delete any individual Voice Message using the in-app deletion control in the chat; (iii) request bulk deletion of all Voice Messages associated with your account by writing to contact@coshot.in with the subject “Delete All Voice Messages — CoShot”; and (iv) request deletion of call metadata associated with your account (subject to the retention period for billing and abuse-investigation purposes in § 13).
(c) Location Data
(i) downgrade location precision in-app (Profile → Privacy → Location Precision) from Precise to Approximate, or revoke location permission entirely at the operating-system level, as described in § 3.12.7; (ii) request the Right to Limit Use of Sensitive Personal Information under the CCPA/CPRA, by writing to contact@coshot.in with the subject “Limit Precise Location Use — CoShot”; (iii) request deletion of historical Location Data associated with your account by writing to contact@coshot.in with the subject “Delete My Location Data — CoShot”; and (iv) opt out of geofenced booking-reminder notifications without affecting any other feature of the Platform (Profile → Privacy → Booking Reminders → Off).
§ 14.7 Right to Complain
If you are dissatisfied with our handling of your request, you may complain to: the Data Protection Board of India under Section 13 of the DPDP Act; for EU/EEA users, your national Data Protection Authority; or for California users, the California Privacy Protection Agency or the California Attorney General.
§ 15. Cookies and Similar Technologies
CoShot uses cookies and similar technologies (local storage, session storage). We classify them as: strictly necessary (session, CSRF, load-balancing) — always on; functional (language preference, recent searches) — opt-in; analytics (aggregate usage statistics) — opt-in, default off; and advertising / cross-site tracking — not used. A consent banner appears on first visit and any time a material change is made. You can change preferences at any time at https://www.coshot.in/legal/cookies or via Settings → Privacy → Cookie Preferences.
§ 16. Security
We follow ISO/IEC 27001-aligned security practices, including: TLS 1.2+ for all data in transit; AES-256-GCM at-rest encryption for OAuth tokens, KYC artefacts, Uploaded Photographs, Voice Messages, and Location Data; bcrypt password hashing (cost factor ≥ 12); HMAC-SHA256 verification on all Razorpay webhook payloads; JWT access tokens (30-minute lifetime) with rotating refresh tokens (7-day lifetime) and revocation on suspicious activity; Helmet middleware enforcing CSP, HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, and strict Referrer-Policy; role-based access control with least-privilege provisioning; centralised, tamper-evident audit logging retained for at least 1 year; annual third-party VAPT and CERT-In-empanelled audit for payment systems; quarterly access reviews and offboarding controls; tested encrypted-backup restore procedures; image-pipeline controls including EXIF stripping at the point of upload and short-lived, IP-restricted presigned URLs for photograph retrieval; and location-pipeline controls including precision downgrading and time-bound retention. No system is perfectly secure. If you suspect compromise, write to contact@coshot.in immediately.
§ 17. Personal Data Breach Notification
In the event of a personal data breach, we comply with Section 8(6) of the DPDP Act read with Rule 7 of the DPDP Rules:
- Without delay, we will notify each affected Data Principal in concise, clear, plain language describing the nature, extent, and timing of the breach, the data classes affected, the likely consequences, the protective measures the Data Principal can take, and CoShot contact details.
- Without delay, we will give an initial intimation to the Data Protection Board of India.
- Within 72 hours of becoming aware of the breach, we will provide the Board with a detailed report covering circumstances, mitigation, root-cause findings, and notifications issued.
- Where applicable, we will also notify CERT-In within 6 hours under the CERT-In Directions of 28 April 2022, and notify Razorpay and any affected banks under applicable agreements.
§ 18. Significant Data Fiduciary Readiness
CoShot is currently a Data Fiduciary under the DPDP Act. We are not, as of the date of this Policy, designated by the Central Government as a Significant Data Fiduciary under Section 10 of the DPDP Act. However, we operate to SDF-grade controls in anticipation of designation, including: an internal Data Protection point of contact; annual Data Protection Impact Assessments and Data Audits; documented algorithmic risk reviews; localisation contingency plans; and consent-manager interoperability readiness.
§ 19. Consent Manager Interoperability
Once Rule 4 of the DPDP Rules is fully operational and the Data Protection Board of India publishes registered Consent Managers, CoShot will integrate with at least one DPB-registered Consent Manager so you may manage, review, and withdraw your consents across data fiduciaries from a single interface, in line with Section 6(7) of the DPDP Act.
§ 20. Grievance Officer / Data Protection Contact
In compliance with Rule 5(8) and 5(9) of the SPDI Rules, Rule 3(2) of the Intermediary Rules, Section 8(9) of the DPDP Act, Rule 4(8) and 5 of the E-Commerce Rules, and the applicable provisions of the DPDP Rules:
Grievance Officer / Data Protection Contact Name: A designated officer of Axero Private Limited. Address: Plot No. 46, Parihar Nagar, Bhadasiya, Jodhpur Mahamandir, Jodhpur — 342006, Rajasthan, India. Email: contact@coshot.in (We reserve the right to operate separate addresses
grievance@coshot.inandprivacy@coshot.inin future without further amendment to this Policy. Their activation will be reflected on this page.) Hours: Monday–Friday, 10:00–18:00 IST (excluding public holidays in Rajasthan).
We will acknowledge complaints within 24 hours and dispose of them within 15 days under the Intermediary Rules, and within 90 days for matters involving Data Principal rights under the DPDP Rules.
§ 21. Changes to this Policy
We distinguish between non-material changes (typo fixes, processor name updates, address changes), for which we update the “Last Updated” date, and material changes (new categories of data, new purposes, new transfers, changes to retention or your rights), for which we will (i) post a prominent in-app banner, (ii) email registered users at least 30 days in advance where reasonable, and (iii) require fresh affirmative consent (“click-to-accept”) on next sign-in. You will have a 60-day grace period to review, accept, or close your account with full export of your data. Continued use after the grace period without affirmatively rejecting constitutes acceptance only for non-material changes; material changes always require affirmative consent.
§ 22. Governing Law and Jurisdiction
This Policy is governed by the laws of India. Any dispute is subject to the dispute-resolution clause of the CoShot Terms of Use (mediation under the Mediation Act, 2023, then arbitration seated in Jodhpur, with courts at Jodhpur, Rajasthan having exclusive supervisory jurisdiction). Nothing in this Policy waives statutory consumer rights under the Consumer Protection Act, 2019.
§ 23. Contact
For any privacy-related question, request, or grievance:
Axero Private Limited Plot No. 46, Parihar Nagar, Bhadasiya Jodhpur Mahamandir, Jodhpur — 342006 Rajasthan, India Email: contact@coshot.in Website: https://www.coshot.in
End of Privacy Policy